Malware in the mobile space has finally made the leap into full-on code injection, thanks to Dvmap. Found by Kapersky, Dvmap is believed to be the very first malware for Android to ever hide a malicious payload, and then unleash it and directly inject it into a device’s system files. This is accomplished through clever hiding of files and use of encryption, and means that the infection will survive removal with root tools, and even a factory reset. Only a complete reformat of the system can cure a case of Dvmap that has run its full course. Since very few manufacturers’ tools have leaked onto the internet for everyday users to use, and since a very small swath of the Android device owner demographic would know how to reformat their device or be willing to do so, clearing the infection will typically require nothing less than having the phone re-flashed by the carrier or manufacturer.
The malware starts out innocently enough, coming across as a completely legitimate app. The one Kapersky found was listed on the Play Store as colourblock, and had over 50,000 downloads. The app’s malicious payload was hidden in encrypted files made to look like game assets. The owner of the app would reportedly push an update for a short time, and not very often, that decrypted the payload and started up the actual malicious functionality. While these updates were typically up for less than 24 hours in order to avoid being detected by Google, that is more than long enough for a good amount of the app’s users to take the update.
Once the app has an update to unlock the malicious content, the first thing on the app’s to-do list is to try obtaining root privileges. The app stores a number of different exploits for this very purpose. The pool of exploits covers both 32-bit and 64-bit Android devices, and if one of them happens to work, the app can then push a number of tools into a device to start up the main phase. That phase sees a completely separate malicious app installed with full root privileges, which is granted administrator privileges to boot. The file modifies key Android system components to make it easier to execute illicit code, and to make it harder for a user to fully remove the malware, as mentioned above. From there, it turns off protections to keep the device from installing apps from sources outside of the Play Store, then connects to a control server. The chain of events stops there, and for some reason the app receives no instructions from the server. At this point, it could very easily control the device, display advertisements, download apps, monitor the user both on-device and in the real world, or even steal vital data by impersonating the user. Kapersky reported all known instances of the malware to Google for removal, meaning that the Play Store should now be safe.
