Dvmap: a Google Play Trojan that uses a new technique to control devices

Experts from Kaspersky Lab have detected a new, unusual Trojan spread via the Google Play Store. Trojan Dvmap can not only obtain access rights at the administrator level on an Android smartphone, but also take control of the device by placing malicious code in a specific system library, which makes it difficult to detect an infection.

Dvmap is distributed via the Google Play Store as a game. Since March 2017, this Trojan has been downloaded from the Play Store over 50,000 times. In order to circumvent the security, the creators of the malware placed a non-infected application in the store. Then, for a short time, they updated it with a malicious version, and then put the next "clean" version. In four weeks they did it at least five times.

The Dvmap Trojan installs itself on the victim machine in two stages. In the initial phase, the malware tries to get the right at the administrator level on the device. If the attempt is successful, it will install many tools, some with comments in Chinese. One of these modules is the "com.qualcmm.timeservices" application that connects the Trojan with its control server. However, in the period in which the study was conducted, the malware did not receive any feedback commands.

The introduction of the possibility of injecting the code is a dangerous new trend in the development of mobile malware. Because this approach can be used to perform malicious activities even after disabling administrative privileges, the security solutions and banking applications that were installed after the infection will not detect the presence of malware.

During the main infection phase, the Trojan checks the version of the installed Android system and decides which library to inject its code into. The next step - overwriting the current code with malicious code - may cause the infected device to fail.

Modified system libraries perform a malicious module that can disable the verification function of installed applications and automatically activate the ability to download programs from untrusted sources. These may be, for example, harmful or unwanted advertising applications.

Users who are concerned that their devices may have been infected with the Dvmap Trojan, should back up all their data and restore the factory settings of the smartphone or tablet. In addition, Kaspersky Lab recommends all users to install reliable security solutions on their device and check whether downloaded applications have been published by a trusted provider, ensure that the operating system and software are always up to date, and do not download anything that seems suspicious or can not be verify its sources.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.