DE|EN

Android users watched: DVMap Trojan infects your Android

After Kaspersky Lab's security investigators discovered a dangerous Trojan by Roman Unuchek, Google removed the Android app named "colourblock" from its official Play Store.

Linux-Expert, Linux-Specialist, IT-Security-Expert, DVMap-Trojan

Until the removal of this app from the Play Store platform, it has already downloaded over 50,000 times on Android devices. Compared to other Trojans, this is low, given the fact that the app was uploaded to the platform in March 20017.

In the beginning, only one harmless version of the app was made available to the users, until between the 14th of April and the 15th of May the developer switched the clean code of the app at least five times against code with malicious content and every time a day later the clean Version.
These four small bursts with malicious updates thus transferred a Trojan to all users who were updating colourblock during this time window.

DVMap trojan is targeted at the Android core system processes

When the app is installed on a device, it initializes various actions to give the attacker full control over the Device. For this purpose Dvmap various Kaspersky five unspecified Exploits to use to rooting different Android versions.  While three of these exploit packages were targeted at Android devices running on 32-bit systems, the fourth exploit package focused on devices with 64-bit platforms.

Once the Trojan has successfully rooted the device with these root packages, it has root privileges that the Trojan can use later to manipulate the Android system through the Android system server process.
On the other hand, DVMap can inject itself into the libdvm.so process with Android 4.4.4 and leader or in devices up to Android 5 the libandroid_runtime.so process infect.

According to Unuchek, the DVMap trojan contains code that allows the & quot; VerifyApps & quot; off. This is a powerful Google security feature built into all Android devices to help identify malicious Android apps.

Once this feature is disabled, the DVMap trojan is able to install third-party apps without VerifyApps security checks on the user's device.