Android root attacks can persist and live forever
Didrik Steen Hegna
The Hacker News describes how it is possible for malware to become persistent through exploiting vulnerabilities in the bootloader. But why is the bootloader such a tempting target for root attacks? Let’s have a look.
What is a Bootloader?
When you turn on your phone the first thing which starts is the Boot code, which starts at a pre-defined location in the ROM (read-only-memory). This ROM is similar to the boot that is familiar to most PC users. The Boot ROM’s main function is to load the bootloader into memory, and to execute it. The bootloader is not part of the Android operating system, but it is used by manufacturers to put restrictions on what can run on the system, and to configure memory, network and various other chips required when the starts. The bootloader also checks the signature of the kernel before starting it.
If you’re interested in updating your Android phone without using the manufacturer’s software to do it you would require an “”, so that you can load the kernel and Android version of your choice on the phone.
Why the bootloader?
What the team of nine security researchers from the found was vulnerabilities in common bootloader versions, allowing the installation of a “persistent ”. s the bootloader runs before the kernel it is a good target for an advanced attacker, as it would survive any update of the kernel and operating system itself.
The target of malware is of course not the bootloader itself, but what many people do on their phones today: They do banking, they transfer funds, they enter credit card numbers and PIN codes. Persistent malware which can survive even a factory reset of the phone would be the ultimate way to gain access to this information. In order to protect these most sensitive we at Okay have chosen to act as if any device is infected. We enable a secure execution environment inside your apps, protecting only the most sensitive parts of your applications, such as transaction security. The operating system can then be infected by malware without it becoming a problem.