April 03, 2012, 3:43 PM — Researchers at U.S.-based mobile security vendor NQ Mobile claim to have discovered the first rootkit designed to insert malicious apps into the install routines of legitimate software to give them malware the same root privileges as utility apps.
DKFBootKit installs itself as part of the boot sequence of Android itself, replacing several utility programs with its own versions, which mimic the same functions but give the rootkit the ability to install what it wants, according to NQMobile's security research blog.
That allows it to load itself and malware payloads early enough in the boot cycle that neither Android nor third-party security apps are able to stop it or, often, even detect it.
Like DroidDream, previous record-holder for most-insidious Android malware, DKFBootKit operates in full stealth mode while installing itself, replacing system software and phoning home to a command-and-control server for orders on what to do next.
Unlike DroidDream, which begins its cycle as a Trojan Horse before going on to greater things, DKFBootKit doesn't rely on Android flaws that have already been patched in the 2.3 Gingerbread version of the OS.
Instead, the rootkit attaches itself to apps that require root access to function – primarily apps designed to either give users root access to their own phones, or to manage phones that have already been rooted. That lets it avoid the need to establish its own unlimited access by adopting privileges given surreptitiously by users to software designed to run off-piste.
to give users root access so they can manage and install their own apps rather than rely on those from carriers.
DKFBootKit was found most often infecting apps such as ROM Manager, ES File Manager, game unlockers and license keys for commercial apps – most often illegal versions of those files, downloaded from pirate-content sites.
DKFBootKit adds a background service to the apps it infects that launches when the infected app is installed, checking to be sure it has root access. If not, it terminates.