Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Malware ‘Dvmap’ Delivered via Google Play

Researchers at Kaspersky Lab recently came across a new Trojan designed to target Android smartphones. The malware, delivered via the Google Play store, is capable of rooting devices and it leverages some new techniques to achieve its goal.

Researchers at Kaspersky Lab recently came across a new Trojan designed to target Android smartphones. The malware, delivered via the Google Play store, is capable of rooting devices and it leverages some new techniques to achieve its goal.

The Trojan, dubbed “Dvmap” by Kaspersky, was uploaded to Google Play disguised as various apps, such as a simple puzzle game. The security firm said the malicious apps were downloaded from the official Android app store more than 50,000 times before being removed by Google.

It’s not uncommon for malware to make its way into Google Play. In the case of Dvmap, cybercriminals uploaded a clean application at the end of March and then, on five separate occasions between April 18 and May 15, they pushed malicious updates that were available for only a short period of time.

By keeping the malicious version on Google Play only for a short amount of time – the clean version would typically be re-uploaded on the same day – the attackers managed to evade detection by Google’s security systems.

Once it infects a device, the malware, which works on both 32-bit and 64-bit versions of Android, uses a local root exploit pack to obtain root privileges. If the smartphone has been successfully rooter, several modules are installed on the system.

It’s not uncommon for rooting malware to install modules on the targeted device, but Dvmap has another trick up its sleeve. The Trojan, whose code includes comments written in Chinese, also injects malicious code into system runtime libraries, and experts believe it’s the first piece of Android malware to do this.

The code injection takes place in the main phase of the attack, when the malware patches one of two runtime libraries – either libdvm.so or libandroid_runtime.so, depending on the version of Android present.

Dvmap replaces legitimate code with malicious code in order to execute its modules. However, this can also cause some legitimate apps to crash or stop functioning properly.

Advertisement. Scroll to continue reading.

The malicious code executes a file that turns off the Verify Apps feature in Android to allow the installation of apps from third-party stores. It can also provide Device Administrator rights to an installed app whose purpose is to download other files.

The command and control (C&C) server did not send any files during Kaspersky’s tests so it’s unclear what types of files have been delivered, but researchers believe it’s either other malware or adware.

Judging by the fact that some of the techniques used by Dvmap can break infected devices, experts believe the cybercriminals are still testing the malware. However, given the large number of users who have already downloaded it from Google Play, they have plenty of devices to perform tests on.

Related: ‘Godless’ Android Malware Uses Multiple Rooting Exploits

Related: Android Root Exploits Abuse Dirty COW Vulnerability

Related: Android Malware Gang Makes $10,000 a Day

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.