Monday, 7 April 2014

Android Oldboot B Malware, a predecessor of Oldboot A

Oldboot B
Android Oldboot B malware has been detected by Chinese researchers from `360 Mobile Security’ and appears from an evolution of its predecessor Oldboot A and as of today, the most complex bootkit which has infected millions of devices. Oldboot B has been considered to be the most sophisticated Android malware detected and has already infected millions of mobile devices.

Its predecessor, Oldboot A was detected in early 2014 by Doctor Web, a Russian security firm and Oldboot A’s principal capability is to infect the Smartphone after reboot irrespective of all its components deleted by the user. Bootkit is a category of malware that can infect the host at start up and is also capable in performing malicious activities which may include data stealing, communicate with a remote C&C server, disk encryption, and remove the application on the victim’s device. Moreover Oldboot B also implements a new type of advanced evasion techniques which can avoid its deletion to principal antivirus software as well automatic analysis systems.

Oldboot silently injecting malicious module 

The ability to silently installing Apps in the background, Oldboot B can also inject malicious modules into critical system process and prevent Apps from uninstalling, disable or uninstall mobile Anti Virus software and modify the browser’s homepage. The Oldboot is a well organized large Trojan family and every member has a clear division of labor which has been written by professional programmers and promoted by some commercial companies which evolves constantly and a new tool is specially used to effectively detect and defend this Bootkit.

Once the user’s Android mobile is infected, the Oldboot B malware waits for the command sent by C&C which is located at az.o65.org – IP 61.160.248.67 and makes use of stegnography to hide data within file exchanged with C&C and installs various malicious applications on the user’s mobile. The Oldboot B malware consisting of four principal components registers itself as services can also ensure the persistence to the malicious code.

Evasion Capabilities – Meaningless code and Random Behavior

The first being boot_tst is the component which is responsible for command reception as well as execution and uses a remote injection technique to introduce an SO file and a JAR file to the `system server’ to process the Android system. The second is adb_server which replaces pm script of the Android system with itself while its main function is to avoid malicious code uninstall.

The third is meta_chk which silently downloads and install Android Apps promoted in the background and is also capable of opening a backdoor for remote control. Besides, the component is also capable of removing itself leaving injected process in the memory by which antivirus software are unable to detect it since they are unable to perform a memory scan in the Android platform. Finally agentsysline runs in the background and receives command from C&C server, the possibility of deleting specific files within its ability, enable/disable network connection as well as uninstall antivirus software.

The most likely evasion capabilities which makes hard the detection of Oldboot B are that it adds some meaningless code and trigger some behavior randomly, checks for availability of SIM card in the device and not perform certain behavior if there is no SIM card, check for existence of antivirus software and probably uninstall the antivirus software before doing anything malicious. The possibility to avoid Oldboot B malware is to download and install app which are from official stores only and avoid unreliable custom ROMs. If a mobile is infected by Oldboot B, the free removing tool designed by antivirus firm 360 Mobile Security can be downloaded.

No comments:

Post a comment

Note: only a member of this blog may post a comment.