A new rooting malware was detected that exhibited a feature never before seen: The trojan not only downloaded its modules onto targeted systems, but also injected malicious code into the systems' runtime libraries.
Distributed via the Google Play store, the malware was dubbed Trojan.AndroidOS.Dvmap.a. by researchers at Kaspersky Labs, who first detected it in April.
While the dissemination of malware through Google's online marketplace is nothing new, the researchers' report – on Kasperky Lab's Securelist blog – points out that what distinguishes Dvmap is the method in which it injects malicious code into the system libraries, libdmv.so or libandroid_runtime.so, among other techniques.
Thus, it is the first malware infecting Android systems capable of injecting malicious code into the system libraries in runtime. It has been downloaded from the Google Play store more than 50,000 times, the researchers reported.
Kaspersky Lab alerted Google to the malware and it was removed.
Analysis of the trojan's operations revealed what the Kaspersky team termed several "very dangerous techniques," particularly its ability to update, or patch, its coding already in place in the Google Play store. The malware's main purpose, the researchers surmised, is to penetrate deep into the targeted systems to execute downloaded files with root rights.
Further, the malware's modules report on each step of their activity to the miscreants behind the coding, so the researchers speculated that the authors are in a beta phase.
“One interesting technique of Dvmap includes patching system libraries," Roman Unuchek, senior malware analyst at Kaspersky Lab, and author of the report, told SC Media on Thursday. "Other rooting malware does not inject malicious code into the system libraries beforehand."
Another interesting thing is that the trojan supports even the 64-bit version of Android, which is very rare, Unuchek pointed out. Lastly, it has a unique method of how it grants device administrator rights to one of its modules, he said.
When asked what Google can do to prevent this sort of malware being loaded into its online store, Unuchek said it is hard to say because he does not know all the details of Google security mechanisms, but he would suggest that behavior analysis could help to detect and prevent this type of malicious activity.
Unuchek told SC that he believed the ultimate goal of this malware is the same as the goal of most rooting malware: to aggressively show ads and silently download, install and launch promoted apps.
Finally, he said as far as he knew, Google can notify infected users through their “Verify app” feature. :But this trojan is capable of turning it off. It has also been removed from the Google Play store and users concerned they may have been infected by Dvmap are advised to back up all their data and perform a factory data reset.”
While a large number of systems have already been tainted, Unuchek concludes his report hoping that his team's early detection of the scourge will mitigate further attacks.
