Dvmap Trojan: Kaspersky Lab experts have discovered an unusual new Trojan that is distributed through the Google Play Store. Trojan Dvmap is not only able to acquire root access rights on Android smartphones, but can also take control of the device by introducing malicious code into the system library. If successful, it can then delete full access, which helps avoid detectionU.
The Trojan has "fired" from Google Play more than 50.000 times since March of 2017. Kaspersky Lab reported the Trojan to Google and has now been removed from the store.
Gaining the ability to inject code is a dangerous new development in mobile malware. Since the approach can be used to perform malicious operations, even by removing full access, any solutions better safetys and applications τραπεζών με δυνατότητες πλήρους ανίχνευσης που έχουν εγκατασταθεί μετά τη «contamination» will not detect the presence of the malware.
However, modifying system libraries is a risky process that can fail. The researchers noticed that the Dvmap malware monitors and reports every move to the command and control server - although the command server did not respond to instructions. This indicates that the malware is not yet fully ready or implemented.
Dvmap is distributed as a game through the Google Play Store. To circumvent the shop security checks, malware developers "upgraded" a "clean" app to the store at the end of March of 2017. They then informed her of a malicious version for a short time, before "uploading" another clean version. Within four weeks, they did this at least five times.
Trojan Dvmap is installed on the victim's device in two stages. During the initial phase, the malware tries to gain full root privileges on the device. If successful, he will install a number of tools, some of which contain Chinese language comments. One of these units is an application, "com.qualcmm.timeservices", which connects the Trojan to the command and control server. However, during the investigation period the malware did not take back any orders.
In the main phase of the "infection", the Trojan launches a "boot" file, checks the installed version of Android and decides which library to inject its password into. The next step: replacing the existing code with malicious code, which can cause the "infected" device to crash.
Re-updated system libraries perform a malicious module that can disable the "Application Certification" feature. It then opens the "Unknown Sources" setting, which allows it to install apps from anywhere, not just from the Google Play Store. These could be malicious or unwanted advertising applications.
"Trojan Dvmap marks a dangerous new development in Android malicious software, with malicious code being introduced into system libraries where it is more difficult to locate and remove. Users who do not have the security to locate and block the threat before it spreads will suffer a lot. We believe we have uncovered malicious software at a very early stage. Our analysis shows that the malicious sections report every move to the intruders and some techniques can break the 'infected' devices. Time is essential when it comes to preventing a massive and dangerous attack, "said Roman Unuchek, Kaspersky Lab's Senior Malware Analyst.
Concerned users who may have been "infected" by Dvmap are advised to create copies backup all their data and perform a factory data reset. In addition, Kaspersky Lab advises all users to always check that applications are created by a trusted developer, keep their operating system and application software up-to-date, and not "download" anything that looks suspicious or whose source cannot be verified.
All Kaspersky Lab products detect the Trojan as Trojan.AndroidOS.Dvmap.a.
