A New malware dubbed dvmap for Android was found and removed from the official Google Play store
Kaspersky Lab had discovered the new malware that is capable of obtaining root access on Android devices and is capable of taking over the system library with the execution of a code injection attack.
The malware named DVMAP was seen being distributed as a game called Colourblock and has a new feature in mobile malware.
“In April 2017 we started observing new rooting malware being distributed through the Google Play Store. Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries. Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a.” states Kaspersky Lab.
The ability to deploy code injection is a new capability unseen until now and represents a dangerous evolution on Android menaces.
The malware tries to gain root access after the application installation and launches a file to verify the Android version and what library it will inject the code. Once successful the malware tries to connect to C&C server that keeps updating every process of the malware. DVMAP can also disable the user’s security settings to try gain root access over the device.
The creators of the malware were able to bypass Play Store security mechanisms by embedding it with a game, in a two-phase infection method. First, a game was uploaded to the Play Store free of malware, and then the application was substituted with the malware itself bypassing this way the security mechanisms of Google. Before its removal, the malware was able to infect at least 50,000 devices that downloaded the game application.
“This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime, and it has been downloaded from the Google Play Store more than 50,000 times. Kaspersky Lab reported the Trojan to Google, and it has now been removed from the store.” continues Kaspersky.
DVMAP can disable runtime libraries depending which version of Android is in use, so it can install other payloads linked to third parties that could compromise sensitive data as banking accounts. One of these payloads is “com.qualcmm.timeservices” The malware can also work on 32 and 64 bits of Android.
Until now there is no correction for the malware, but users can count on simple best practices of security do avoid or detain the infection. It is highly recommended that users download only from developer’s official site, maintain an up to date backup of data and always verify which privilege will be granted to the application that will be installed. A full factory reset also is highly recommended to users who have been infected and also maintaining up to date the definitions of antivirus.
About the author Luis Nakamoto
Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e-Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics, and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.
(Security Affairs – DVMAP , Android)