Dvmap uses new techniques to infect devices – and has been downloaded over 50,000 times.
The trojan was found inside the official Google Play app store.
An Android Trojan which uses new techniques to take of control devices has been discovered in the Google Play Store.
The Trojan has been downloaded from Google’s official app marketplace over 50,000 times since March 2017 and is a particularly dangerous form of malware because it it can inject code into the system library and remove root-detection features designed to detect malicious intrusions.
Uncovered by cybersecurity researchers at at Kaspersky Lab, the Dvmap trojan is not only capable of obtaining root access rights on Android devices but has the ability to monitor information and install other applications.
Dvmap disguised itself as a game called ‘colourblock’ within Google Play which managed to bypass the store’s security checks by first of all uploaded a clean version of the app in March.
Shortly afterwards, they updated it to a malicious version for a short time before reverting it back to the clean version. Researchers say they did at least five times in the space of four weeks, successfully tricking Google Play in the process.
The trojan disguised in the Google Play store. Image: Kaspersky Lab
Once successfully installed on the device, the trojan installs a root exploit back installing several tools – which appear to contain comments in Chinese, potentially pointing to the malware authors – in order to run the main phase and overwriting Android’s code with malicious code. Researchers note that this could be “very dangerous” and cause some devices to crash.
If successfully installed and executed, Dvmap can successfully connect to a command and control server – but in the device being investigated it received no comments. Researchers suggest that if allowed to run, additional malware or advertising files could be stored on the device.
The method of code injection “marks a dangerous new development in Android malware” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab. “Users who don’t have the security in place to identify and block the threat before it breaks in have a difficult time ahead.”.
Those worried they may have been infected by Dvmap are advised to back up all their data and perform a factory data reset of their device.
Kaspersky Lab has reported the Trojan to Google, and it has now been removed from the store – but it represents just the latest instance of malicious apps sneaking into the Play store, in Google’s ongoing battle with Android malware.
While Google keeps the vast majority of its 1.4 billion Android users safe from malware, malicious apps still get through and there’s no recall option for malicious applications.
Google had not responded to a request for comment at the time of publication.