Mobile Devices and Bootkits

What is a Bootkit?

This week we’re going to be talking about BootKits and mobile devices.  To understand what a bootkit is, we will first talk about the how a computer boots up.  When the device is powered on, a piece of firmware called the BIOS (on some modern computers it is called the UEFI) is launched.  The BIOS/UEFI looks at a predefined place on local storage for the bootloader (or Master Boot Record).  The bootloader is then launched and begins the Operating System initialization process by loading the OS Kernel into memory and launching the OS.  The process on mobile devices is similar; however the bootloader and BIOS/UEFI are generally combined, but perform the same function of initializing the Kernel of the operating system.  A bootkit gets its name from the fact that on infected devices it will launch before the operating system.  Bootkits are extremely difficult to remove because reinstalling the OS on your device will not remove the infection.  Similarly, bootkits are extremely difficult to detect because they reside outside the normal filesystem and can often hide from detection.

Bootkit vs Rootkit

You may have heard the term rootkit before - bootkits are very similar.  A rootkit and bootkit are actually variants of the same malware techniques.  Rootkits are often used to hide other more malicious software from detection by using techniques such as intercepting system calls to hide file listings, or processes from view.  A bootkit is essentially a rootkit that gets launched by the bootloader and typically reside in the boot partition.

Why should you care?

Bootkits and rootkits have been around on traditional computers for many years.  There are early viruses that infected Master Boot Records on DOS computers.  Mobile devices are not immune.  Android bootkits have been detected in “the wild” since 2014.  Designed to hide their presence and the existence of their malicious payload, bootkits are a stealth malware.  Re-flashing your mobile OS cannot remove it.  Bootkits have even been shipped on some Android devices, making this a difficult problem to prevent.  As recently as August 2017, Amazon halted the sales of Blu Phone  because of privacy and security concerns using the Adups firmware updating technology, a bootkit level malware that leaked users private data off the device.

What can you do?

The extremely difficult detection and removal of bootkits mean that prevention is the best strategy.  Do not allow installing apps from “Unknown Sources” and only load applications from well-known and trusted application markets.  Use Mobile App Security tools such as MI3 RECON to vet the application before installation.

Next Week

Next week we are going to dive even further into rootkits and bootkits on Android with a retrospective on the history and implications for Android over the last few years

What to do Next?

Contact us to see a demonstration of the RECON Platform

Watch an overview of the Mi3 Security Portfolio