Android malware hid in Google Play apps to inject code into system runtime libraries

Its main purpose? Execute with root rights.

David bisson
David Bisson
@

Android malware hid in Google Play apps to inject code into system runtime libraries

A type of Android malware known as Dvmap hid in apps available on the Google Play Store in order to inject malicious code into system runtime libraries.

So far, Kaspersky has detected at least 50,000 downloads of the malware, which hid in apps like the puzzle game “colourblock” on Google’s Play Store.

The Russian security firm subsequently notified Google of colourblock and the other affected apps. In response, Google removed the compromised apps from its marketplace.

Sign up to our free newsletter.
Security news, advice, and tips.
Dvmap en 1
Trojan.AndroidOS.Dvmap.a on Google Play. (Source: Kaspersky Lab)

Dvmap’s creators sidestepped Google’s security checks by replacing a clean version of each affected app with a malicious version and then reinstating the benign version. Sometimes the bad actors completed this cycle over the course of a single day. In total, they followed this procedure five times between 18 April and 15 May.

Upon initial installation, the malware attempts to gain root privileges and to install some modules, including a malicious app called com.qualcmm.timeservices. It then launches a start file to check the Android system version and determine which runtime system library to patch. For Android 4.4 and lower, it patches _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so, whereas for newer versions, it updates nativeForkAndSpecialize from libandroid_runtime.so.

Roman Unuchek, a senior malware analyst at Kaspersky Lab, explains what this patching activity entails:

“During patching, the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip. This could be very dangerous and cause some devices to crash following the overwrite. Then the Trojan will put the patched library back into the system directory. After that, the Trojan will replace the original /system/bin/ip with a malicious one from the archive (Game324.res or Game644.res). In doing so, the Trojan can be sure that its malicious module will be executed with system rights. But the malicious ip file does not contain any methods from the original ip file. This means that all apps that were using this file will lose some functionality or even start crashing.”

The malicious ip file is capable of disabling “VerifyApps,” changing system settings to allow the installation of apps from third-party marketplaces, and grant com.qualcmm.timeservices Device Administrator rights. This app can then use those rights to download archives and connect to its C&C.

To protect themselves against Dvmap, users should install an anti-virus solution onto their devices. They should also be careful about what apps they install onto their phones. As Dvmap and other threats prove, malware can hide in apps available on Google’s Play Store.

Users should therefore do their due diligence by researching an app and reviewing its list of requested permissions before they choose to install it.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.