Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0285: OldBoot

OldBoot is an Android malware family. [1]

MobileS0285MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

OldBoot is identified by ATT&CK as an Android malware family associated with persistence through boot or logon initialization behavior. For leaders, the practical issue is mobile device resilience: malware that survives reboot can complicate containment, user remediation, and confidence in device trust, especially where Android devices support business operations, field work, privileged access, or regulated workflows.

Executive priority

Treat this as a mobile endpoint trust and incident-readiness concern rather than a generic malware entry. Security leaders should ask whether Android devices used for business are inventoried, monitored, and recoverable; whether rooted or otherwise unmanaged devices are allowed to access corporate resources; and whether mobile incident response procedures can distinguish simple app removal from cases requiring device reimage, factory reset, or access revocation. This also supports compliance evidence around mobile device governance and access control where Android endpoints are in scope.

Technical view

ATT&CK provides no official detection text for OldBoot, but the relationship context links it to T1398, Boot or Logon Initialization Scripts, where persistence relies on initialization mechanisms that are normally not user-accessible unless a device has been rooted or jailbroken. SOC and IR teams should validate mobile telemetry and MDM/EMM visibility for signs of device compromise, rooting or jailbreak status, suspicious startup persistence, unexpected system-level changes, and repeat reappearance of unwanted software after reboot. Because the OldBoot object itself has no listed platforms beyond its Android malware-family description, detection engineering should scope validation to Android business use cases and avoid assuming coverage from desktop EDR controls.

Likely telemetry

  • Mobile device inventory and enrollment status
  • Android OS version, patch level, and device integrity or root-detection signals
  • MDM/EMM compliance state and policy violation history
  • Mobile threat defense alerts, if deployed
  • Application inventory, installation source, and package reputation where available

Detection direction

  • Confirm whether Android devices that access business resources are visible to MDM/EMM or equivalent mobile security tooling.
  • Validate that root or device-integrity failures trigger alerting, access restriction, or investigation workflows.
  • Look for persistence-oriented patterns rather than one-time app detections, including recurrence after reboot or remediation.
  • Correlate mobile compliance events with identity and application access logs to determine whether a compromised or noncompliant device retained access.
  • Tune detections carefully because legitimate device management actions, OS updates, and enterprise apps may create startup or compliance-change noise.

Mitigation priorities

  • Prioritize inventory and enrollment controls for Android devices used to access corporate resources.
  • Restrict access from rooted, jailbroken, unmanaged, or noncompliant mobile devices where policy and business requirements allow.
  • Maintain mobile OS and security update governance for managed Android fleets.
  • Define IR playbooks for persistent mobile malware cases, including access revocation, credential reset considerations, device wipe or rebuild decisions, and evidence preservation.
  • Use least-privilege and conditional access principles so a single compromised mobile device does not create broad business exposure.
Analyst notes and limits

The supplied ATT&CK data is sparse: OldBoot is described only as an Android malware family, with one external reference and a relationship to T1398. The most decision-useful angle is persistence and trust of Android endpoints, especially where mobile devices are allowed to reach business systems. Relationship-driven context should be used to guide validation, not to infer specific OldBoot implementation details beyond the supplied ATT&CK fields.

No official ATT&CK detection guidance, tactics, object platforms, aliases, or labels were provided for OldBoot. The related technique lists Android and iOS, but the malware description identifies OldBoot as Android; any iOS applicability should be treated as technique context, not as an OldBoot platform claim. Local telemetry, MDM architecture, BYOD policy, and mobile access paths are required to assess real exposure or coverage.

Official MITRE ATT&CK definition

OldBoot

OldBoot is an Android malware family. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1398 Boot or Logon Initialization Scripts

OldBoot uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.CitationHackerNews-OldBoot
Relationship explorer

All related ATT&CK context

uses · Technique T1398: Boot or Logon Initialization Scripts Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
93af9d58daab15f3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 93af9d58daab…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    HackerNews-OldBoot

    Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.

    Open source URL
  2. [2]
    OldBoot

    (Citation: HackerNews-OldBoot)

  3. [3]
    mitre-attack S0285
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use