We found an Android trojan in the boot partition of an infected Android device. Since the boot partition will be loaded as a read-only RAM disk during Android's running, all existing antivirus solutions can't effectively clean it.
The trojan will drop malicious APK to system directory, connect to C&C servers, download and install other adwares, fetch and execute other commands.
We classify this trojan as bootkit and named "Oldboot". This is the first Android bootkit in the wild as best we know. By our statistics, there’re more than 500,000 Android devices infected by this bootkit in China in last six months.