New Android malware uses code injection to control devices
Researchers at Kaspersky Lab have released details of a new trojan being distributed via the Google Play store that is able to inject malicious code into the system runtime libraries.
Named Dvmap, the trojan is believed to have been downloaded from Google Play more than 50,000 times since March this year.
The addition of code injection makes a worrying new development in mobile malware. It means it becomes possible to execute malicious modules even with root access deleted. In addition any security solutions and banking apps with root-detection features that are installed after infection won’t be able to spot the presence of the malware.
Analysis of the Dvmap code reveals that it tracks and reports its every move to its command and control server -- although the command server doesn't respond with instructions. This suggests that the malware may yet be fully ready or implemented.
"The Dvmap Trojan marks a dangerous new development in Android malware, with the malicious code injecting itself into system libraries where it is harder to detect and remove," says Roman Unuchek, senior malware analyst at Kaspersky Lab. "Users who don't have the security in place to identify and block the threat before it breaks in have a difficult time ahead. We believe that we have uncovered the malware at a very early stage. Our analysis shows that the malicious modules report their every move to the attackers and some techniques can break the infected devices. Time is of the essence if we are going to prevent a massive and dangerous attack."
Dvmap is distributed as a game through the Google Play Store. To bypass the store’s security checks, the malware creators first uploaded a clean app to the store at the end of March 2017. They then updated this with a malicious version for a short period of time, before uploading another clean version. In the space of four weeks they have done this at least five times.
The trojan has been reported to Google and it's now been removed from the store. You can find out more about Dvmap on the Kaspersky SecureList blog.
Image Credit: Lukatme1 / depositphotos.com