I am unfortunately aware this article is too late to share in the fanfare of OldBoot.B. For those unaware, and as a recap for those who are, about midway through April a new Android threat called OldBoot.B was discovered and crowned the most sophisticated Android malware to date. Armor for Android has been detecting this threat since its discovery. However, for reasons somewhat out of my control (a.k.a. surgery) I have not been able to provide you, dear reader, with the overview that you deserve.
So without further ado I present to you the analysis of OldBoot.B, broken down from tech speak (which, at times, may as well be Swahili) into the common tongue for your viewing pleasure.
The OldBoot Family Tree
Oldboot.B is the newest variant of the OldBoot malware family (for the purposes of this article we will refer to the original OldBoot malware as OldBoot.A). OldBoot.A was discovered in January, 2014, by Russian security firm Dr.Web. A few months later in April, OldBoot.B was discovered by Chinese security company Qihoo 360 Technology Co, who, I believe, missed an opportunity to start a footwear themed android malware family tree (ex. OldSandal), but I digress.
OldBoot.A is a formidable piece of Android malware and carries the title "first ever Android bootkit." When the original OldBoot.A was discovered it was probably the most sophisticated Android threat of its time, though it was never given the title as such. OldBoot.A was the prototype that has since been developed further to create OldBoot.B.
OldBoot.B includes all of the malicious functions of OldBoot.A and some nifty new features. As I describe the characteristics of OldBoot.A consider that they are also the foundations on which OldBoot.B was built.
OldBoot.A + Nifty Features = OldBoot.B
As the first Bootkit malware for Android, OldBoot.A does something that had never been previously observed on the Android platform. OldBoot.A injects malicious code into the Android operations system (OS). Specifically, OldBoot.A modifies the Android start up process to run malicious OldBoot code during startup. When an infected Android device is rebooted the malicious code is executed and two malicious files are extracted. The first malicious file is called libgooglekernel.so which is placed in the Android system library. The second malicious file is called GoogleKernel.apk and it is installed as an application on the device. These two files do the main dirty work for OldBoot.A.
Working together, the libgooglekernel.so and GoogleKernel.apk open a backdoor from the device to contact a remote command and control (C&C) server. This activity essentially turns the infected device into a mobile bot which can be controlled by the C&C server. Mobile botnets are a growing malware problem affecting Android users.
These backdoor communications between the infected device and C&C server are nefarious, as backdoor communications tend to be. OldBoot.A can uninstall applications from the device, but more importantly it can install applications on the device completely without the user's knowledge or permission. This is incredibly dangerous. OldBoot can potentially install any application that may have any number of malicious functions, from spyware to banking Trojans. Once the additional malware has served its malicious purpose Oldboot.A can then remove it and the user will be none the wiser.
Last but not least, it is also nearly impossible to remove OldBoot from an infected device. The malware modifies the Android OS in such a way that if the user were to uninstall the libgooglekernel.so and GoogleKernel.apk file (which is possible) the malicious OldBoot.A start-up code will simply re-install each file when the device is rebooted. The only way to remove OldBoot.A is to manually repair the start up code or to factory rest the device.
Part Two: Nifty Features
OldBoot.A is no slouch, and OldBoot.B includes all of the malicious activities of its predecessor. This new variant of the OldBoot malware contains some advanced evasion techniques that truly put this Android malware in a class of its own.
As if it were not hard enough to remove this threat from an infected device, OldBoot.B takes steps to actively evade and disable antivirus applications. Before performing any malicious activity on the device OldBoot.B will check to see if the device is running an antivirus application. If an antivirus application is detected OldBoot.B will execute a root level command (pm disable) to disable to the antivirus application, OldBoot.B will then proceed to execute its illicit activities. Once OldBoot.B is finished with whichever malicious function it is executing it will then re-enable the antivirus application using another root level command (pm enable). OldBoot.B takes a special disliking to the Qihoo 360 antivirus application, if this particular brand of antivirus application is detected the OldBoot.B malware will completely uninstall the antivirus app from the device.
OldBoot.B uses stenography, the practice of hiding a message within an image, to conceal part of its malicious code. By hiding malicious code in seemingly innocuous files, such as images, OldBoot.B makes the discovery and analysis of its malicious activities much more difficult for mobile security researchers. While stenography is a practice developed long before computing, its implementation into PC/Android malware is an advanced concept, befitting the most sophisticated Android malware to date.
To prevent itself from being uninstalled, or any other additional malware from being uninstalled, OldBoot.B hijacks the files used in the install/uninstall process. OldBoot.B replaces an existing file in the Android OS with a malicious file called adb_server which allows OldBoot.B to monitor applications being uninstalled. If the device user attempts to uninstall one of the malicious OldBoot applications the adb_server file will prevent the app from being uninstalled but display a fake message to the user that the application was successfully uninstalled.
The OldBoot Android malware family is a virtual Swiss army knife of malicious activity. Once a device is infected it is incredibly difficult to repair, so it is important to know how to spot and avoid malware. Keep the following tips in mind when using your Android device to avoid malware and keep your device, and your personal information safe and secure.
- Install and USE an Android antivirus application. Antivirus application will help you detect malware before you install it and avoid becoming infected.
- Stay up-to-date with application and Android OS updates. Updates often include patches to newly discovered security vulnerabilities to make your device safer.
- Research applications before you download! Always read user reviews, check the developer's website and look for customer service and social media accounts to verify that an application developer is trustworthy before you download an application. ♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com; Twitter:@James_AfA