Say hello to Dvmap: The first Android malware with code injection

Trojan deletes root access to dodge detection

A powerful Android trojan with novel code injection features that posed as a game was distributed through the Google Play Store before its recent removal.

The Dvmap trojan installs its malicious modules while also injecting hostile code into the system runtime libraries. But Dvmap has other tricks up its sleeve. Once successfully installed, the malware deletes root access in an attempt to avoid detection.

"The introduction of code injection capability is a dangerous new development in mobile malware," according to Kaspersky Lab. "Since the approach can be used to execute malicious modules even with root access deleted, any security solutions and banking apps with root-detection features that are installed after infection won't spot the presence of the malware."

The trojan was downloaded from Google Play more than 50,000 times since March, according to security researchers at the Russian antivirus firm. Kaspersky Lab reported the trojan to Google, which removed the software nasty from its store.

Dvmap was distributed while posing as a simple, addictive puzzle game called colourblock, posted under the name "Retgumhoap Kanumep". Developers bypassed the store's security checks by uploading a clean app at the end of March. They then updated this with a malicious version for a short period of time before uploading another clean version.

If activated, the malware reported to a command and control server – although the server didn't respond with instructions, according to Kaspersky Lab. "This suggests that the malware is not yet fully ready or implemented," the researchers note. ®


Biting the hand that feeds IT © 1998–2017