Interestingly, the malware Dvmap, which bypasses the Google Play store security test, will first disguise itself as a secure application hidden in the puzzle game “colourblock” and then upgrade to a malicious version in a short time. It is said that the game was downloaded at least 50,000 times before being removed.
Survey shows that Trojans Dvmap for 32-bit and 64-bit versions of the Android system. Once successfully installed, malware will attempt to get root access on the device and install multiple malicious modules, many of which contain some Chinese modules with malware “com.qualcmm.timeservices”. To ensure that a malicious module is executed within system privileges, the malware overwrites the system runtime based on the Android version of the device that is running. After the installation of the malicious application is complete, the Trojan with system privilege will close the “Validate Application” function and modify the system settings.
It is reported that third-party malicious applications will be infected devices connected to the attacker C & C server and transfer device control authority. At present, although the researchers are still on the malicious software Dvmap detection, but did not observe the infected Android device from any malicious commands. To prevent users from being infected, the researchers recommend that users always verify application permissions and only grant the necessary permissions for the application before installing any application (even from the Google Play store).
Attachment: Kaspersky Lab Analysis Report “Dvmap: First Code Injection Android Malware”