- May 13, 2017
- 76
Android malware has entered a new era: code injection. According to a report in The Register, the Dvmap trojan, which hid inside several games in Google Play for months and was installed over 50,000 times, “installs its malicious modules while also injecting hostile code into the system runtime libraries”.
After seeking root access and dropping its payload, the sophisticated malware then patches root to cover its tracks. Interestingly, Dvmap also works on the 64-bit version of Android, can disable Google’s Verify Apps security feature and used a truly novel approach to avoid detection by Google.
The modules were constantly sending reports back to the malware’s authors, leading Kaspersky Labs, who discovered the trojan, to believe it was still in an early testing phase. The trojan's creators uploaded a “clean” app to Google Play and intermittently updated it with the malware components. The goal of Dvmap seems to have been to enable the installation of apps with root level permissions from third party stores. Kaspersky also notes Dvmap could serve ads and execute downloaded files delivered from a remote server.
While Kaspersky noted the server connection, no files were sent during its testing, again implying Dvmap was not fully operational. “The introduction of code injection capability is a dangerous new development in mobile malware,” Kaspersky told The Register. “Since the approach can be used to execute malicious modules even with root access deleted, any security solutions and banking apps with root-detection features that are installed after infection won’t spot the presence of the malware.”
Kaspersky Labs first encountered the trojan back in April and reported it to Google, who promptly removed it from the Play Store. While all of the apps including Dvmap were not named, Kaspersky recommends a data backup and factory reset for anyone concerned that they may have been infected. So if you downloaded a game in the last few months that has now been pulled from Google Play, you might want to follow their advice just in case.
After seeking root access and dropping its payload, the sophisticated malware then patches root to cover its tracks. Interestingly, Dvmap also works on the 64-bit version of Android, can disable Google’s Verify Apps security feature and used a truly novel approach to avoid detection by Google.
The modules were constantly sending reports back to the malware’s authors, leading Kaspersky Labs, who discovered the trojan, to believe it was still in an early testing phase. The trojan's creators uploaded a “clean” app to Google Play and intermittently updated it with the malware components. The goal of Dvmap seems to have been to enable the installation of apps with root level permissions from third party stores. Kaspersky also notes Dvmap could serve ads and execute downloaded files delivered from a remote server.
While Kaspersky noted the server connection, no files were sent during its testing, again implying Dvmap was not fully operational. “The introduction of code injection capability is a dangerous new development in mobile malware,” Kaspersky told The Register. “Since the approach can be used to execute malicious modules even with root access deleted, any security solutions and banking apps with root-detection features that are installed after infection won’t spot the presence of the malware.”
Kaspersky Labs first encountered the trojan back in April and reported it to Google, who promptly removed it from the Play Store. While all of the apps including Dvmap were not named, Kaspersky recommends a data backup and factory reset for anyone concerned that they may have been infected. So if you downloaded a game in the last few months that has now been pulled from Google Play, you might want to follow their advice just in case.