We use cookies on our websites. Information about cookies and how you can object to the use of cookies at any time or end their use can be found in our privacy policy.
New self-replicating Android malware you need to know about
3 min read 5 comments

New self-replicating Android malware you need to know about

We know that Android is a bit susceptible to malware and trojans, in much the same way as desktop PCs have always been more prone to that kind of dodgy activity than Apple computers. Now, there's a new bootkit malware doing the rounds that has reportedly infected upwards of 350,000 devices. It may be largely targeted at Chinese devices right now, but it's something to be wary of internationally too.

androidpit malware trojan virus
Malware comes in many shapes and sizes. And you never know what's inside. / © AndroidPIT

The trojan, called ''Android.Oldboot'', resides in your device's memory and launches itself during the boot stage. Even if you successfully remove the malware, a small part of the malware is secreted away in a protected area of memory and simply re-installs itself the next time you reboot. Nasty stuff indeed and just what we need: self-replicating malware.

DrWeb Oldboot Malware Coverage
Right now the threat may be fairly localized, but it bodes badly for the future of malware. / © Dr.Web

The trojan was discovered by Russian security firm Dr. Web, who claim it is the first bootkit trojan on the Android platform. The malware has been detected on over 350,000 devices globally, from the US, China, Germany, Spain, Russia, Brazil, Italy and various Southeast Asian countries. The vast majorities of affected devices are located in China, however, and Dr. Web states the trojan was initially intended for that market. As Dr. Web explained the threat:

[The] attackers have used a very unusual technique, namely, placing one of the Trojan components into the boot partition of the file system and modifying the init script which is responsible for the initialization of OS components....Part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service....Reflashing a device with modified firmware that contains the routines required for the Trojan’s operation is the most likely way this threat is introduced.

DrWeb Oldboot Trojan Screens
Android.Oldboot.1 lives in the Google kernel and becomes a part of your system services. / © Dr.Web

This means that the malware is actually placed onto the device either through flashing untrustworthy ROMs or by a specific individual with access to the device, which could happen quite easily when purchasing a device from an unknown individual from a foreign country. Dr. Web encourages consumers to be wary of buying devices of ''unknown origin and using OS images from unreliable sources.'' Considering the massive rise of cheap handsets being manufactured and sold in China, this trojan could just be the tip of the malware iceberg.

Have you ever purchased an Android device from an unknown third party? Do you think this kind of malware is likely to increase over time?

Via: The Next Web Source: Dr.Web


Write new comment:
All changes will be saved. No drafts are saved when editing

  • Hey @Amat, @Saem and @Bernd, the reason I didn't detail the activity of the trojan is because Dr. Web didn't and they discovered it. I couldn't find any information at the time of publishing about what the trojan actually does. My understanding is that it was laying idle, which is why it wasn't bigger news - if something bad had happened to 350,000 devices all at once then we all would've heard about it. I think Dr. Web just spotted it and reported it even though they didn't say what it did. I suspect the recommended way to get rid of it is to use their software ;)

  • qian Feb 7, 2014 Link to comment


  • yes. we want to know what does the malware can do to the devices

  • Well a bit hard to understand why the most important information are missing. What harm does it do and how can it be detected and removed.

  • Good post. What does it do after installing itself and booting on startup? How does it affect the device and how to stop it?