PINDROP BLOG

Android Trojan That Can Inject Code, Root Devices, Removed From Play Store

Researchers have discovered a new Android trojan in the Google Play app store that has the ability to root devices and can inject malicious code into system runtime libraries.

The Dvmap trojan is thought to be the first such piece of malware that’s capable of injecting code into system libraries at runtime, and researchers at Kaspersky Lab said the app containing the malware has been downloaded more than 50,000 times. The malware is disguised as a puzzle game and the attackers behind it have used some innovative methods to get past Google’s security roadblocks for Play.

“To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May,” Roman Unuchek, a researcher at Kaspersky, wrote in an analysis of the malware.

“All the malicious Dvmap apps had the same functionality. They decrypt several archive files from the assets folder of the installation package, and launch an executable file from them with the name ‘start’.”

Google has removed the Dvmap trojan from the Play store, after Kaspersky reported it to the company. Unuchek said it’s not entirely clear what the endgame was for the attackers who created and uploaded the malware. After installation, the trojan tries to gain root privileges on the infected device and then begins its main process, which begins injecting code into the device’s runtime libraries.

“During patching, the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip. This could be very dangerous and cause some devices to crash following the overwrite. Then the Trojan will put the patched library back into the system directory. After that, the Trojan will replace the original /system/bin/ip with a malicious one from the archive (Game324.res or Game644.res). In doing so, the Trojan can be sure that its malicious module will be executed with system rights. But the malicious ip file does not contain any methods from the original ip file. This means that all apps that were using this file will lose some functionality or even start crashing,” Unuchek said.

The Dvmap malware also will try to turn off the Verify Apps functionality on infected devices. This feature continuously checks installed apps to ensure that they’re not malicious or exhibiting undocumented behavior.

“It looks like its main purpose is to get into the system and execute downloaded files with root rights. But I never received such files from their command and control server,” Unuchek said.

“These malicious modules report to the attackers about every step they are going to make. So I think that the authors are still testing this malware, because they use some techniques which can break the infected devices.”

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed