Android malware hid in Google Play apps to inject code into system runtime libraries

Its main purpose? Execute with root rights.

Android malware hid in Google Play apps to inject code into system runtime libraries

A type of Android malware known as Dvmap hid in apps available on the Google Play Store in order to inject malicious code into system runtime libraries.

So far, Kaspersky has detected at least 50,000 downloads of the malware, which hid in apps like the puzzle game "colourblock" on Google's Play Store.

The Russian security firm subsequently notified Google of colourblock and the other affected apps. In response, Google removed the compromised apps from its marketplace.

Dvmap en 1

Trojan.AndroidOS.Dvmap.a on Google Play. (Source: Kaspersky Lab)

Dvmap's creators sidestepped Google's security checks by replacing a clean version of each affected app with a malicious version and then reinstating the benign version. Sometimes the bad actors completed this cycle over the course of a single day. In total, they followed this procedure five times between 18 April and 15 May.

Upon initial installation, the malware attempts to gain root privileges and to install some modules, including a malicious app called com.qualcmm.timeservices. It then launches a start file to check the Android system version and determine which runtime system library to patch. For Android 4.4 and lower, it patches _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so, whereas for newer versions, it updates nativeForkAndSpecialize from libandroid_runtime.so.

Roman Unuchek, a senior malware analyst at Kaspersky Lab, explains what this patching activity entails:

"During patching, the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip. This could be very dangerous and cause some devices to crash following the overwrite. Then the Trojan will put the patched library back into the system directory. After that, the Trojan will replace the original /system/bin/ip with a malicious one from the archive (Game324.res or Game644.res). In doing so, the Trojan can be sure that its malicious module will be executed with system rights. But the malicious ip file does not contain any methods from the original ip file. This means that all apps that were using this file will lose some functionality or even start crashing."

The malicious ip file is capable of disabling "VerifyApps," changing system settings to allow the installation of apps from third-party marketplaces, and grant com.qualcmm.timeservices Device Administrator rights. This app can then use those rights to download archives and connect to its C&C.

To protect themselves against Dvmap, users should install an anti-virus solution onto their devices. They should also be careful about what apps they install onto their phones. As Dvmap and other threats prove, malware can hide in apps available on Google's Play Store.

Users should therefore do their due diligence by researching an app and reviewing its list of requested permissions before they choose to install it.

(Visited 1,840 times, 1 visits today)

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

No comments yet.

Leave a Reply