Dvmap: Android-Rooting Trojan with Code Injection Ability

Earlier today Security researchers at Kaspersky Lab released a blog post explaining about an Android-rooting trojan with code injection ability spreading through the Android official play store (Google Play Store).

The attackers are using several techniques to hack fool the google’s security framework, earlier this week we have mentioned in our blog post how hackers were using different methods to spread malware and attack users.

A very same similar method is used in spreading this android-rooting Trojan dubbed as Dvmap. The developers in order to not get caught released the clean version of the Android application and then later on for short period of the time gave malicious updates.

The malicious code, however, was kept only for a short period and then removed from the application by generating another update. Which was able to fool the google’s security mechanism successfully.

This technique has been earlier used to spread the infamous ZTorg Trojan multiple times.

The Dvmap trojan is special because it injects malicious code in system libraries during runtime to get root access and stay persistent and disables the Android security settings. It also downloads other malcious apps from third party sources.

The researchers at Kaspersky Lab discovered this malware hiding in an Android game named Colourblock which has more than 50,000 downloads in play store.

Dvmap android rooting tojan
dvmap android rooting trojan image source Kaspersky lab blog

Here is How Dvmap Works

Dvmap first tries to gain root access on the device to install some modules. To make sure that the malicious code is executed with system rights, the malware overwrites the system’s runtime library as mentioned earlier.

“Trojan uses 4 different exploit pack files, 3 for 32-bit systems and 1 for 64-bit-systems. If these files successfully gain root rights, the Trojan will install several tools into the system. It will also install the malicious app “com.qualcmm.timeservices.” ” said the researcher.

To complete the installation of the malicious app it turns of the androids application verification option “VerifyApp” and allows unknown resources to allow the installation of the third party applications.

“Furthermore, it can grant the “com.qualcmm.timeservices” app Device Administrator rights without any interaction with the user, just by running commands. It is a very unusual way to get Device Administrator rights,” the researchers said.

The Researcher further says that the app was able to successfully establish a connection with the command-&-control (C&C) server but received no commands. So it is still not clear whether this trojan is used to execute malicious files or advertising files.

However, the Researchers have notified Google about the Application and Google removed it from the play store.

How could you be safe?

Users who have downloaded the applications are requested to do a hard reset of their Android to make sure the malware gets removed.

Having a good antivirus program installed in your devices is always a plus when it comes to security.