Dvmap Android Malware A powerful Trojan with novel code injection features that posed as a game was distributed through the Google Play Store before its recent removal. The Trojan has been downloaded from Google’s official app marketplace over 50,000 times and is a particularly dangerous form of malware because it can inject code into the system library and remove root-detection features designed to detect malicious intrusions.
According to Cybersecurity researchers at Kaspersky Lab, the Dvmap trojan is not only capable of obtaining root access rights on Android devices but has the ability to monitor information and install other applications. In the case of Dvmap Android Malware, cybercriminals uploaded a clean application at the end of March and then, on five separate occasions between April 18 and May 15, they pushed malicious updates that were available for only a short period of time.
The Dvmap Android Malware installs its malicious modules while also injecting hostile code into the system runtime libraries. But Dvmap has other tricks up its sleeve. Once successfully installed, the malware deletes root access in an attempt to avoid detection. Once it infects a device, the malware, which works on both 32-bit and 64-bit versions of Android, it uses a local root exploit pack to obtain root privileges. The code includes comments written in Chinese, also injects malicious code into system runtime libraries, and experts believe it’s the first piece of Android malware to do such thing.
“The introduction of code injection capability is a dangerous new development in mobile malware,” according to Kaspersky Lab. “Since the approach can be used to execute malicious modules even with root access deleted, any security solutions and banking apps with root-detection features that are installed after infection won’t spot the presence of the malware.”
Dvmap disguised itself as a game called ‘colourblock’ a simple puzzle game within Google Play which managed to bypass the store’s security checks by first of all uploaded a clean version of the app in March. Shortly afterwards, they updated it to a malicious version for a short time before reverting it back to the clean version. If successfully installed and executed, Dvmap can successfully connect to a command and control server – but in the device being investigated it received no comments. Researchers suggest that if allowed to run, additional malware or advertising files could be stored on the device.
The code injection takes place in the main phase of the attack when the malware patches one of two runtime libraries – either libdvm.so or libandroid_runtime.so, depending on the version of Android present. It replaces the legitimate code with malicious code to execute its modules. This has caused many legitimate applications to crash or stop functioning properly. The malicious code is found to executes a file that turns off the Verify Apps feature in Android to allow the installation of apps from third-party stores.
If successfully installed and executed, Dvmap Android Malware can successfully connect to a command and control server – but in the device being investigated it received no comments. Researchers suggest that if allowed to run, additional malware or advertising files could also be stored on the device. This type of code injection marks a dangerous new development in Android Malware, researchers note. The Trojan has been removed from the store.