Dvmap Trojan: Kaspersky Lab experts have discovered an unusual new Trojan that is distributed through the Google Play Store. Trojan Dvmap is not only able to acquire root access rights on Android smartphones, but can also take control of the device by introducing malicious code into the system library. If successful, it can then delete full access, which helps avoid detectionU.
The Trojan has "fired" from Google Play more than 50.000 times since March of 2017. Kaspersky Lab reported the Trojan to Google and has now been removed from the store.
Obtaining the ability to infuse code is a dangerous new development in malware for mobile devices. Since the approach can be used to perform malware, even by deleting full access, any security solutions and full-featured bank app installs installed after the "infection" will not detect the presence of malware.
However, modifying system libraries is a risky process that can fail. The researchers noticed that the Dvmap malware monitors and reports every move to the command and control server - although the command server did not respond to instructions. This indicates that the malware is not yet fully ready or implemented.
Dvmap is distributed as a game through the Google Play Store. To circumvent the shop security checks, malware developers "upgraded" a "clean" app to the store at the end of March of 2017. They then informed her of a malicious version for a short time, before "uploading" another clean version. Within four weeks, they did this at least five times.
Trojan Dvmap is installed on the victim's device in two stages. During the initial phase, the malware tries to gain full root privileges on the device. If successful, he will install a number of tools, some of which contain Chinese language comments. One of these units is an application, "com.qualcmm.timeservices", which connects the Trojan to the command and control server. However, during the investigation period the malware did not take back any orders.
In the main phase of the "infection", the Trojan launches a "boot" file, checks the installed version of Android and decides which library to inject its password into. The next step: replacing the existing code with malicious code, which can cause the "infected" device to crash.
Re-updated system libraries perform a malicious module that can disable the "Application Certification" feature. It then opens the "Unknown Sources" setting, which allows it to install apps from anywhere, not just from the Google Play Store. These could be malicious or unwanted advertising applications.
"Trojan Dvmap marks a dangerous new development in Android malicious software, with malicious code being introduced into system libraries where it is more difficult to locate and remove. Users who do not have the security to locate and block the threat before it spreads will suffer a lot. We believe we have uncovered malicious software at a very early stage. Our analysis shows that the malicious sections report every move to the intruders and some techniques can break the 'infected' devices. Time is essential when it comes to preventing a massive and dangerous attack, "said Roman Unuchek, Kaspersky Lab's Senior Malware Analyst.
Dedicated users who may be "infected" by Dvmap are advised to back up all of their data and to restore factory data. In addition, Kaspersky Lab advises all users to always check that the applications have been created by a trusted developer, maintain their operating system and application software up to date, and not download anything that is suspicious or that its source can not be verified.
All Kaspersky Lab products detect the Trojan as Trojan.AndroidOS.Dvmap.a.