New Dvmap Trojan can delete system's root access, reveals Kaspersky

The recently discovered Dvmap Trojan can destroy root access after gaining rights on an Android smartphone, revealed Kaspersky Lab experts. Subsequently, since it cannot be detected, there also looms a threat of the device being controlled by the Trojan, by injecting a malicious code into the system library.

The introduction of the code injection capability is a dangerous new development in mobile malware. Since the approach can be used to execute malicious modules even with root access deleted, any security solutions and banking apps with root-detection features that are installed after infection won't spot the presence of the malware.

However, modification of the system libraries is a risky process that can misfire. The researchers observed that the Dvmap malware tracks and reports its every move to its command and control server - although the command server didn't respond with instructions. This suggests that the malware is not yet fully ready or implemented.

Dvmap is distributed as a game through Google Play Store. To bypass the store's security checks, the malware creators uploaded a clean app to the store at the end of March 2017.They then updated this with a malicious version for a short period of time, before uploading another clean version. In the space of four weeks they did this at least five times.

The Dvmap Trojan installs itself onto a victim device in two stages. During the initial phase, the malware tries to gain root rights on the device. If successful, it will install a number of tools, some of which carry comments in the Chinese language. One of these modules is an application, 'com.qualcmm.timeservice', which connects the Trojan to its command and control server. However, during the period of investigation the malware did not receive any commands in return.

In the main phase of infection, the Trojan launches a 'start' file, checks the version of Android installed and decides which library to inject its code into. The next step: overwriting the existing code with malicious code, can cause the infected device to crash.

The newly-patched system libraries execute a malicious module which can turn off the 'VerifyApps' feature. It then switches on the setting 'Unknown sources' which allows it to install apps from anywhere, not just the Google Play Store. These could be malicious or unsolicited advertising apps.

"The Dvmap Trojan marks a dangerous new development in Android malware, with the malicious code injecting itself into system libraries where it is harder to detect and remove. Users who don't have the security in place to identify and block the threat before it breaks in have a difficult time ahead. We believe that we have uncovered the malware at a very early stage. Our analysis shows that the malicious modules report their every move to the attackers and some techniques can break the infected devices. Time is of the essence if we are going to prevent a massive and dangerous attack," said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.

The Trojan, which was downloaded from Google Play more than 50,000 times since inception, has now been removed from the store.

However, Kaspersky experts believe that users must organise and back-up data from time to time. Additionally, Kaspersky also recommended users to install a reliable security solution, check that apps have been created by a reputable developer, to keep their OS and application software up-to-date, and not to download anything that looks at all suspicious or whose source cannot be verified.

-ANI