Android_Malware_Dvmap


A well known Russian cyber security and anti-virus provider has discovered one of the first kinds of Android malware which has code injection capabilities. The Android malware is named as “Dvmap” and according to the researchers it is a rooting malware which has been delivered to nearly 50,000 users so far via Google Play store.

The term’ rooting’ basically relates to the process where the user of the android device gains privileged control also known as root access over Android subsystems.

The fact that Dvmap has capability to inject malicious codes into the system libraries of the android device make it even more lethal as compared to the other known android malware. After a thorough research was conducted it has now been determined that the malicious codes are injected into two system libraries named libandroid_runtime.so and libdmv.so.

Apart from being the first Android malware to inject malicious code to the system libraries of the Android devices, another aspect of this app that needs to be taken cognizance of is that it has been downloaded nearly 50,000 times from Google Play Store.

What on earth is happening? How did they manage to bypass Google Play Security and spread the malware to nearly 50,000 Android across the world?

Well to be frank, the attackers used a cleverly crafted methodology to bypass Google Play Security. Apparently, they uploaded an app to Google Play store on the last week of March, 2017. However, after staying low on the radar for a while, with the clean app already uploaded to the store, the course of the app is changed by updating the malicious version of the app. But this is done for a short period of time and the clean version of the app is uploaded on the same day.

Technical Details:

After installed in the Android device, the malicious Dvmap app decrypt multiple archived files from the assets folder of the android application package and then launch a executable file named “start”.

These are the encrypted archives in the assets folder which is decrypted by the malicious version of the dvmap app

These are the encrypted archives in the assets folder which is decrypted by the malicious version of the dvmap app


From the encrypted files shown in the snap short above are divided into two groups – while the first group consisting of Game321.res, Game322.res, Game323.res and Game642.res are used in the initial phase of the infection and the second group: Game324.res and Game644.res is used in the final phase of  the deployment of the malware.

Dvmap also has the capability to support 64-bit Android version which is quite uncommon. Not many Android malware do that and if it does it is very rare.

Employees today prefer accessing office data and emails on the move. To avoid mishaps it's time to take Cybersecurity Awareness Training today.

Details
Date Published
June 09, 2017