Even after a thorough cleanup your Android powered device could still be infected by a specially designed malware in the Oldboot family. A report ,released by the Chinese Security Researchers of “360 Mobile Security”, says that the newly discovered variant called Oldboot.B has exactly the same features as the Olboot.A and includes advanced stealth techniques. This piece of malware is present in the memory and can modify the infected device’s boot partition and booting script file to launch system services thereby extracting malicious application during the early stages of booting.
This particular malware that works in the background has some frightening features,
- the ability to install malicious applications not manually installed by the user
- inject malicious modules
- modify the home page of the browser
- prevent malicious apps from uninstalling
- and disable all antivirus softwares on the device
The architecture of this Trojan is pretty simple with four major parts that start up automatically with the system boot.
The Activities of the trojan are largely handled by three files namely the boot_tst ,adb_server and the meta_chk. The malicious activities are handled once the trojan is successful in uninstalling all the antivirus softwares prevailing in the device.
The code of the Oldboot.B’s ELF file is still encrypted and the decryption stub code at the beginning will decrypt all the codes and then execute them. Almost all strings used by the code are encrypted and therefore the time required to analyze them increases by the second.
This malware resorts to the inclusion of some tricks that generate some meaningless code to trigger some random behavior.Along with this the trojan also checks for some environmental activities at runtime and hinder certain processes by giving some false instructions.
The code that makes the trojan to make it unable to delete or uninstall certain applications has been released by the Chinese researchers who first let the cat ou of the bag about the Oldboot.B.
If the Oldboot.B finds out that the app to be uninstalled is one its promotion apps the it will not be uninstalled by the adb_server present in the architecture. But the uninstalling of the app is reported as a successful one.
All said and done it is ultimately the user who needs to be precocious and avoid using or downloading data from unauthorized web stores. Applications for mobiles should be downloaded or bought only from those who are more trustworthy and those that are suspectful should be avoided in all scenarios.