Kaspersky Lab has recently discovered a very dangerous Android trojan named Dvmap, which was present on the Google Play Store. The Dvmap trojan was capable of rooting the device, injecting malicious code into the system and overriding the Android security features. Fortunately, after alerting Google on the infection, the trojan has been removed from the Play Store.
The malware analyst Roman Unucheck discovered the Dvmap trojan on May 17, during the observation of the internal system results, searching for new strains of rooting malware. After running some additional checks, the expert alerted Google of the situation on May 25, however, the trojan remained on the Google Store.
Dvmap was embedded in a game which was named Colourblock, and marketed as the “simplest, challenging, addictive” puzzle game. As already mentioned, the virus was very dangerous because it could root an Android device and inject malicious code into the system library without users’ knowledge.
Being installed into the system, the application tried to gain root access by launching a start file which checked the version of Android the device was running, and tried to locate which library to inject its code into. In case the operation was successful, the trojan installed some tools in order to connect Dvmap to the C&C server.
What was interesting here though, was the fact that the server never responded back to the prompts sent by Dvmap, indicating that the trojan isn’t completely developed yet, or it still has to be implemented.
Looks like the criminals who’ve been developing the Android trojan since the beginning of March, have released a number of game versions, starting with a clean version, followed by a malicious one, etc.
One more nasty feature of Dvmap is the fact that as soon as the newly patched system libraries execute a malicious module, the trojan can turn off the VerifyApps feature, which is the Android malware scanner of Google. After that, the virus takes the control over the device and allows it to install apps from anywhere, which may let in much more infected applications.