Okay LogoOkay Logo
Go back to Okay blog

What Can Live Forever? Android Root Attacks

First published: 07/11/2019

updated: 24/10/2022

artifact

The Hacker News describes how it is possible for malware to become persistent through exploiting vulnerabilities in the bootloader. But why is the bootloader such a tempting target for root attacks? Let’s have a look.

What is a Bootloader?

When you turn on your phone, the first thing that starts is the “boot code”, at a pre-defined location in the ROM (read-only-memory). This ROM is similar to the boot that is familiar to most PC users. The Boot ROM’s main function is to load the bootloader into memory, and to execute it. 

The bootloader is not part of the Android operating system, but it is used by manufacturers to put restrictions on what can run on the system, as well as to configure memory, network and various other chips. The bootloader also checks the signature of the kernel as the device is turned on.

If you’re interested in updating your Android phone without using the manufacturer’s software to do it, you would need to back up the original operating system and then "root" the phone, or disable the security settings that protect its OS from being modified. You do this so you can load the kernel and Android version of choice on the phone.

Why the Bootloader?

Security researchers have discovered vulnerabilities in common mobile bootloaders within code execution and denial of service. This includes if the bootloader were to run before the kernel, as the vulnerability (aka the opportunity for hacking) would survive any update of the kernel and operating system itself. 

Of course, today the target of a lot of malware is not the bootloader itself, but the source of what many people do on their phones: banking, money transfers, online purchases, or any place where credit card numbers or PIN codes are entered. Persistent malware, which can survive even a factory reset, would be the ultimate way to gain access to this type of information. 

In order to protect this sensitive user data, Okay has chosen to always act as if a device is already infected. With this approach, we constantly enable a secure execution environment inside any app, protecting the most sensitive parts of your applications (such as transaction security). The operating system can then be infected by malware without it ever becoming a problem.

Want to know more about malware?

We’ve written a two-part blog post on mobile malware to answer all of your burning questions. Check out part one for what malware is, why it works and what it does, and part two for malware sources and how to avoid them.

Follow us on LinkedIn