DVMap is a trojan, which pretends to be a benign game app but downloads and executes malicious code on user devices. The attacker avoids detection from Google Play by first uploading the benign game version to the store, delivering malicious payloads later via app updates. Moreover, to avoid detection, the trojan is converted back to a benign app on the same day.
The payloads are disguised as game updates in “Game321.res”, “Game322.res”, “Game323.res”, “Game324.res”, “Game642.res” and “Game624.res” files. After being decrypted, these files inject code in Android runtime libraries, such as “ libdvm.so” and “libandroid_runtime.so”. By doing so, DVMap can turn off Verify Apps, allowing installation of another malicious app from third-party stores and grant Device Administrator access to that app. At this point, the apps can launch server attacks, including stealing personal information, monitoring users, wiping devices, sending unauthorized SMSes, making phone calls or generating ad revenue.
Researchers speculate that DVMap trojan is still in the testing stage because DVMap replaces the “/system/bin/ip” file with malicious code without preserving the original code, causing some devices to crash.
For Appthority customers:
Appthority customers are protected from the DVMap trojan via the “Malware Detected” behavior. Although our initial investigation shows that no Appthority customers have been impacted by the DVMap trojan, we recommend that Appthority customers:
- Ensure the “Malware Detected” behavior is configured in your Appthority App Policies and compliance management workflow.
For all enterprises:
- We recommend educating employees:
- To not install apps from unknown developers
- To not install apps that are from third-party unofficial stores
- To always update the devices with latest patches
- Reflash any device that becomes infected by the DVMap trojan. This is required because once the trojan has run its full malicious function, injecting code into Android system files, it can persist through app removal and a factory reset. Only a full reflash will eliminate the trojan.