First Android Malware With Code Injection Has Arrived

tryfon

Level 2
Thread author
Verified
May 13, 2017
76
Android malware has entered a new era: code injection. According to a report in The Register, the Dvmap trojan, which hid inside several games in Google Play for months and was installed over 50,000 times, “installs its malicious modules while also injecting hostile code into the system runtime libraries”.

After seeking root access and dropping its payload, the sophisticated malware then patches root to cover its tracks. Interestingly, Dvmap also works on the 64-bit version of Android, can disable Google’s Verify Apps security feature and used a truly novel approach to avoid detection by Google.

The modules were constantly sending reports back to the malware’s authors, leading Kaspersky Labs, who discovered the trojan, to believe it was still in an early testing phase. The trojan's creators uploaded a “clean” app to Google Play and intermittently updated it with the malware components. The goal of Dvmap seems to have been to enable the installation of apps with root level permissions from third party stores. Kaspersky also notes Dvmap could serve ads and execute downloaded files delivered from a remote server.

While Kaspersky noted the server connection, no files were sent during its testing, again implying Dvmap was not fully operational. “The introduction of code injection capability is a dangerous new development in mobile malware,” Kaspersky told The Register. “Since the approach can be used to execute malicious modules even with root access deleted, any security solutions and banking apps with root-detection features that are installed after infection won’t spot the presence of the malware.”

Kaspersky Labs first encountered the trojan back in April and reported it to Google, who promptly removed it from the Play Store. While all of the apps including Dvmap were not named, Kaspersky recommends a data backup and factory reset for anyone concerned that they may have been infected. So if you downloaded a game in the last few months that has now been pulled from Google Play, you might want to follow their advice just in case.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
The trojan’s creators would upload a “clean” app to Google Play and then intermittently update it with the malware components for a short period of time before replacing it with the clean version once again. The modules were constantly sending reports back to the malware’s authors, leading Kaspersky Labs, who discovered the trojan, to believe it was still in an early testing phase.
The goal of Dvmap seems to have been to enable the installation of apps with root level permissions from third party stores. Kaspersky also notes Dvmap could serve ads and execute downloaded files delivered from a remote server.
The Android AVs are not mature yet and such tricks used to exploit smartphones are alarming, though this is not the first malware to have used this method.
However, it is Not clear from the word "SEEK", whether it just asks for root access or it has the potential to root and infect like the dreadful exploit-based Godless malware.
Not a big proportion of Android users understand the basics of the OS, ecosystem and how to deal with small glitches they encounter everyday, and hinting a factory reset in case of suspicion or problems is difficult for average users, though it's usually the easiest problem solver.

These things are getting complex and being able to detect any such suspicious behavior is far from what normal or even many experienced users can do. researchers are doing a great job, hopefully the power is carried to the Android Security solutions.
One of the best ways to prevent/mitigate is to have a good Permissions Manager (built-in or 3rd party) and a Firewall (and ofcourse a good AV). Rooted devices need to be well monitored and locked!
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
The devious thing is just the method used that seems to be the release of a benign application (maybe a simple game) on the Play Store and, once accepted, insert an update containing the malicious code. Once installed, the malware can install other third-party apps, requiring root permissions, and performing other operations on the infected device.
So the main vector looks clean and the core infection is determined by subsequent steps.
I have to agree with @Parsh about the fact that Android AVs are not fully mature and I wonder to myself if the code injection and the access to the system libraries can trigger a detection regardless of AV signatures.
 

ravi prakash saini

Level 13
Verified
Top Poster
Well-known
Apr 22, 2015
637
Android AVs are not fully mature so are the user.in my part of the world almost every one is having smart phone. some of them even cannot tell if they are using android mobile or Windows mobile what they will tell that theirs phone is touch screen or not.
I see big danger that will put wannacry to shame
 
  • Like
Reactions: Winter Soldier

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top