A new Android-rooting malware with an ability to disable device’ security settings in an effort to perform malicious tasks in the background has been detected on the official Play Store.
What’s interesting? The app was smart enough to fool Google security mechanism by first pretending itself to be a clean app and then temporarily replacing it with a malicious version.
The distribution of rooting malware through Google Play is not a new thing. For example, the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016. But Dvmap is very special rooting malware. It uses a variety of new techniques, but the most interesting thing is that it injects malicious code into the system libraries – libdmv.so or libandroid_runtime.so.
The malware is named as Dvmap, was disguised as a game,and it had about 50000 downloads prior to its removal. Dvmap is the first Android malware that injects malicious code into the system libraries in their runtime
Roman Unuchek, a senior malware analyst with Kaspersky Lab who uncovered the Trojan. Unuchek found the malware on May 19, while testing and analyzing results from an internal system he monitors to find new possibilities of rooting malware. Google removed the Trojan on Tuesday after Kaspersky Lab reported it to the company on May 25.
The game, “colourblock,” was billed as a “simplest, challenging, addictive” puzzle game in which users change the colors of blocks in order to to change the color of the whole screen.
Once installed, this application tries to gain root access by launching a start file which checks the version of Android running on the device and which library to inject its code into. If successful, the malware goes ahead and installs tools – some written in Chinese – to connect the Trojan to its C&C server.
Unuchek, who described Dvmap today in a post to Securelist, says it’s unclear if the malware is ready for primetime yet though. The researcher observed modules within the malware firing information back to the command and control server, but the server never responded back, something that hints the malware either isn’t fully ready, or implemented.
To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May. This strategy likely helped the attackers bypass the marketplace’s security checks.
VerifyApps, Google’s malware scanner for Android, can check new and installed software on devices against a list of known malware, but isn’t immune to Dvmap, Unuchek says.
Modifying system libraries is not a failsafe practice, Unuchek cautions. The researcher says in some instances the malware can cause devices to crash by overwriting existing code.
All the malicious Dvmap apps had the same functionality. They decrypt several archive files from the assets folder of the installation package, and launch an executable file from them with the name “start.”
Encrypted archives in the assets folder
The interesting thing is that the Trojan supports even the 64-bit version of Android, which is very rare.
Part of code where the Trojan chooses between 32-bit and 64-bit compatible files
All encrypted archives can be divided into two groups: the first comprises Game321.res, Game322.res, Game323.res and Game642.res – and these are used in the initial phase of infection, while the second group: Game324.res and Game644.res, are used in the main phase.
“The newly patched system libraries execute a malicious module which can turn off the ‘VerifyApps’ feature,” Unuchek said, “It then switches on the setting ‘Unknown sources’ which allows it to install apps from anywhere, not just the Google Play Store. These could be malicious or unsolicited advertising apps.”
Android malware that helps attackers gain root access isn’t exactly new. Researchers at Kaspersky Lab discovered an Android banking trojan that tried to gain root privileges on devices last September. While that app wasn’t in the Google Play marketplace, an app that Unuchek stumbled upon in September was. The app, masquerading as a Pokémon GO game, also gave attackers root access. On top of that, it was more popular than the game Unuchek found last week; having been downloaded more than 500,000 times before Google removed it.
Unuchek says one of the traits that makes Dvmap different, the fact the malware can inject itself into system libraries, is particularly concerning.
“Injecting code into the system library is a new thing for Android malware and very powerful thing,”.But at the same time, it is very dangerous method that can break the device. I think that we’ll see a few more Trojans doing so in future, but it is too dangerous functionality for most trojans and its hard to implement.”
Kaspersky Lab and Unuchek are encouraging users who either downloaded the game or believe they’re infected to back up their data and perform a full factory data reset to mitigate the malware.
“Users who don’t have the security in place to identify and block the threat before it breaks in have a difficult time ahead,” Unuchek said of the malware.
Conclusions
This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques, including patching system libraries. It installs malicious modules with different functionality into the system. It looks like its main purpose is to get into the system and execute downloaded files with root rights. But I never received such files from their command and control server.
These malicious modules report to the attackers about every step they are going to make. So I think that the authors are still testing this malware, because they use some techniques which can break the infected devices. But they already have a lot of infected users on whom to test their methods.
I hope that by uncovering this malware at such an early stage, we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods.