Kaspersky Lab experts have discovered an unusual new Trojan being distributed through the Google Play Store. The Dvmap Trojan is capable not only of obtaining root access rights on an Android smartphone, it can also take control of the device by injecting malicious code into the system library. If successful, it can then delete root access, which helps to avoid detection. The Trojan has been downloaded from Google Play more than 50,000 times since March, 2017. Kaspersky Lab reported the Trojan to Google, and it has now been removed from the store.
The introduction of code injection capability is a dangerous new development in mobile malware. Since the approach can be used to execute malicious modules even with root access deleted, any security solutions and banking apps with root-detection features that are installed after infection won’t spot the presence of the malware.
However, modification of the system libraries is a risky process that can misfire. The researchers observed that the Dvmap malware tracks and reports its every move to its command and control server – although the command server didn’t respond with instructions. This suggests that the malware is not yet fully ready or implemented.
Dvmap is distributed as a game through the Google Play Store. To bypass the store’s security checks, the malware creators uploaded a clean app to the store at the end of March, 2017.They then updated this with a malicious version for a short period of time, before uploading another clean version. In the space of four weeks they did this at least five times.
The Dvmap Trojan installs itself onto a victim device in two stages. During the initial phase, the malware tries to gain root rights on the device. If successful, it will install a number of tools, some of which carry comments in the Chinese language. One of these modules is an application, “com.qualcmm.timeservices”, which connects the Trojan to its command and control server. However, during the period of investigation the malware did not receive any commands in return.
In the main phase of infection, the Trojan launches a “start” file, checks the version of Android installed and decides which library to inject its code into. The next step: overwriting the existing code with malicious code, can cause the infected device to crash.
The newly-patched system libraries execute a malicious module which can turn off the ‘VerifyApps’ feature. It then switches on the setting ‘Unknown sources’ which allows it to install apps from anywhere, not just the Google Play Store. These could be malicious or unsolicited advertising apps.
“The Dvmap Trojan marks a dangerous new development in Android malware, with the malicious code injecting itself into system libraries where it is harder to detect and remove. Users who don’t have the security in place to identify and block the threat before it breaks in have a difficult time ahead. We believe that we have uncovered the malware at a very early stage. Our analysis shows that the malicious modules report their every move to the attackers and some techniques can break the infected devices. Time is of the essence if we are going to prevent a massive and dangerous attack,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.
Users concerned they may have been infected by Dvmap are advised to back up all their data and perform a factory data reset. In addition, Kaspersky Lab advises all users to install a reliable security solution, such as Kaspersky Internet Security for Android, on their device, always check that apps have been created by a reputable developer, to keep their OS and application software up-to-date, and not to download anything that looks at all suspicious or whose source cannot be verified.
To learn more about the Dvmap Trojan, read the blog on Securelist.com.
All Kaspersky Lab products detects Trojan as Trojan.AndroidOS.Dvmap.a.