Android malware has come up with a new era: code injection. As per a report in The Register, the Dvmap trojan, hid inside in Google Play several games for months and was installed more than 50,000 times, “installs its malicious modules while injecting hostile code also into the system runtime libraries”.
After getting the root access and dropping its payload, this malware patches root to cover its tracks. Interestingly, Dvmap works on the 64-bit Android version that can disable the Google’s Verify Apps security feature so that it is used as a novel approach to avoid detection by Google.
The creators of Trojans upload a “clean” app to Google Play and then occasionally update it with the malware components for a small period of time prior to replacing it once again with the clean version. The modules were sending reports constantly back to the malware’s authors, leading Kaspersky Labs, who unearthed the trojan, to believe it was in an early testing phase.
The aim of Dvmap appears to have enabled the installation of apps taking root level permissions from third party stores. Kaspersky also notes Dvmap could serve ads and perform downloaded files delivered from a remote server. While Kaspersky observed the server connection, there were no files sent during its testing, and implying Dvmap again was not fully operational.
“The code injection introduction capability is a dangerous mobile malware development,” Kaspersky told The Register. “As the approach may be used to execute malicious modules with root access deleted, the security solutions and banking apps with the features of root-detection s that are installed after infection will not be able to spot the malware presence.”
So if you downloaded in the last few months a game that is now pulled from Google Play