A type of Android malware known as Dvmap hid in apps available on the Google Play Store in order to inject malicious code into system runtime libraries.
So far, Kaspersky has detected at least 50,000 downloads of the malware, which hid in apps like the puzzle game “colourblock” on Google’s Play Store.
The Russian security firm subsequently notified Google of colourblock and the other affected apps. In response, Google removed the compromised apps from its marketplace.
Dvmap’s creators sidestepped Google’s security checks by replacing a clean version of each affected app with a malicious version and then reinstating the benign version. Sometimes the bad actors completed this cycle over the course of a single day. In total, they followed this procedure five times between 18 April and 15 May.
Upon initial installation, the malware attempts to gain root privileges and to install some modules, including a malicious app called com.qualcmm.timeservices. It then launches a start file to check the Android system version and determine which runtime system library to patch. For Android 4.4 and lower, it patches _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so, whereas for newer versions, it updates nativeForkAndSpecialize from libandroid_runtime.so.
Roman Unuchek, a senior malware analyst at Kaspersky Lab, explains what this patching activity entails:
“During patching, the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip. This could be very dangerous and cause some devices to crash following the overwrite. Then the Trojan will put the patched library back into the system directory. After that, the Trojan will replace the original /system/bin/ip with a malicious one from the archive (Game324.res or Game644.res). In doing so, the Trojan can be sure that its malicious module will be executed with system rights. But the malicious ip file does not contain any methods from the original ip file. This means that all apps that were using this file will lose some functionality or even start crashing.”
The malicious ip file is capable of disabling “VerifyApps,” changing system settings to allow the installation of apps from third-party marketplaces, and grant com.qualcmm.timeservices Device Administrator rights. This app can then use those rights to download archives and connect to its C&C.
To protect themselves against Dvmap, users should install an anti-virus solution onto their devices. They should also be careful about what apps they install onto their phones. As Dvmap and other threats prove, malware can hide in apps available on Google’s Play Store.
Users should therefore do their due diligence by researching an app and reviewing its list of requested permissions before they choose to install it.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.