{ "id": "8cd01e49-b45e-4034-a5d0-97ca8d4e9bba", "created_at": "2026-04-06T00:13:50.668914Z", "updated_at": "2026-04-10T03:30:33.776071Z", "deleted_at": null, "sha1_hash": "cd3e2ad498545fdc126ca63595d9dbcbe9d524cf", "title": "First widely distributed Android bootkit Malware infects more than 350,000 Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 503984, "plain_text": "First widely distributed Android bootkit Malware infects more\r\nthan 350,000 Devices\r\nBy The Hacker News\r\nPublished: 2014-01-29 · Archived: 2026-04-05 22:31:39 UTC\r\nIn the last quarter of 2013, sale of a Smartphone with ANDROID operating system has increased and every\r\nsecond person you see is a DROID user.\r\nA Russian security firm 'Doctor Web' identified the first mass distributed Android bootkit malware called\r\n'Android.Oldboot', a piece of malware that's designed to re-infect devices after reboot, even if you delete all\r\nworking components of it.\r\nhttp://thehackernews.com/2014/01/first-widely-distributed-android.html\r\nPage 1 of 4\n\nThe bootkit Android.Oldboot has infected more than 350,000 android users in China, Spain, Italy, Germany,\r\nRussia, Brazil, the USA and some Southeast Asian countries. China seems to a mass victim of this kind of\r\nmalware having a 92 % share.\r\nA Bootkit is a rootkit malware variant which infects the device at start-up and may encrypt disk or steal data,\r\nremove the application, open connection for Command and controller.\r\nA very unique technique is being used to inject this Trojan into an Android system where an attacker places a\r\ncomponent of it into the boot partition of the file system and modify the 'init' script (initialize the operating\r\nsystem) to re-load the malware as you switch on your android.\r\nWhen you start your device, this script loads the Trojan 'imei_chk' (detects it as Android.Oldboot.1) which extract\r\ntwo files libgooglekernel.so (Android.Oldboot.2) and GoogleKernel.apk  (Android.Oldboot.1.origin), copy them\r\nrespectively in /system/lib and /system/app.\r\nAndroid.Oldboot acts as a system service and connects to the command-and-controller server using\r\nlibgooglekernel.so library and receives commands to download, remove installed apps, and install malicious apps.\r\nSince it becomes a part of the boot partition, formatting the device will not solve the problem. The researchers\r\nbelieve that the devices somehow had the malware pre-loaded at the time of shipping from the manufacturer, or\r\nwas likely distributed inside modified Android firmware. So, users should beware of certain modified Android\r\nfirmware.\r\nTwo weeks ago, Some Chinese Security Researchers have also detected a bootkit called 'Oldboot', possibly the\r\nsame malware or another variant of it.\r\n\"Due to the special RAM disk feature of Android devices’ boot partition, all current mobile antivirus\r\nproducts in the world can’t completely remove this Trojan or effectively repair the system.\"\r\n\"According to our statistics, as of today, there’re more than 500, 000 Android devices infected by this\r\nbootkit in China in last six months.\r\nhttp://thehackernews.com/2014/01/first-widely-distributed-android.html\r\nPage 2 of 4\n\nThe Android malware Android.Oldboot is almost impossible to remove, not even with formatting your device. But\r\nif your device is not from a Chinese manufacturer, then chances that you are a victim of it, are very less.\r\nThis bootkit is not the first of this kind. Two years back, in the month of March we reported, NQ Mobile Security\r\nResearch Center uncovered the world's first Android bootkit malware called 'DKFBootKit', that replaces certain\r\nboot processes and can begin running even before the system is completely booted up.\r\nBut Android.Oldboot malware is a bit more dangerous because even if you remove all working components of it\r\nfrom your android successfully, the component imei_chk will persist in a protected boot memory area and hence\r\nwill reinstall itself on next boot and continuously infect the Smartphone.\r\nUsers are recommended to install apps from authorized stores such as Google Play, disable installation of apps\r\nfrom ‘Unknown Sources’ and for a better security install a reputed security application.\r\nYou can also try to re-flash your device with its original ROM. After flashing, the bootkit will be removed.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nhttp://thehackernews.com/2014/01/first-widely-distributed-android.html\r\nPage 3 of 4\n\nSource: http://thehackernews.com/2014/01/first-widely-distributed-android.html\r\nhttp://thehackernews.com/2014/01/first-widely-distributed-android.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://thehackernews.com/2014/01/first-widely-distributed-android.html" ], "report_names": [ "first-widely-distributed-android.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434430, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd3e2ad498545fdc126ca63595d9dbcbe9d524cf.pdf", "text": "https://archive.orkl.eu/cd3e2ad498545fdc126ca63595d9dbcbe9d524cf.txt", "img": "https://archive.orkl.eu/cd3e2ad498545fdc126ca63595d9dbcbe9d524cf.jpg" } }