back to article Say hello to Dvmap: The first Android malware with code injection

A powerful Android trojan with novel code injection features that posed as a game was distributed through the Google Play Store before its recent removal. The Dvmap trojan installs its malicious modules while also injecting hostile code into the system runtime libraries. But Dvmap has other tricks up its sleeve. Once …

  1. Anonymous South African Coward Bronze badge

    Would've be nice to name the game... and the company involved as well.

    1. DaLo

      Game: colourblock

      Developer: Retgumhoap Kanumep

      Source - the linked article with the full details of the whole infection process.

  2. Spacedinvader

    Don't need to go to link, second last para "Dvmap was distributed while posing as a simple, addictive puzzle game called colourblock, posted under the name "Retgumhoap Kanumep". "

    1. Anonymous Coward
      Anonymous Coward

      Says that now...

      1. Destroy All Monsters Silver badge

        I'm sure that's an anagram of something.

        But what?

        "A Kaput Morpheme Gun"

        Hmm..... Nah.

  3. scrubber

    Learn from https

    Google have decided that unencrypted connections are bad, they should be doing the same for apps. Any app that requires additional access should have to justify it before an update is allowed on the store. Doesn't stop lazy programmers that want full access on first install (HSBC!) But would be a start.

    1. Charles 9

      Re: Learn from https

      Whether or not the connection is encrypted doesn't help here. An HTTPS connection to a C&C server is just as bad: worse, actually, since the traffic can't be sniffed easily.

      In any event, if the game needed network access to begin with (for legitimate updates and content downloads), that would easily disguise the malware download.

  4. jelabarre59

    Rooting

    Gee, a malware app that can root unrootable devices. Sounds like they would have been better off selling it *as* a root tool for those of us who want to unlock all our locked devices we paid good money for. Then it could be used to remove that special category of malware known as "bundled/built-in apps".

    1. Charles 9

      Re: Rooting

      I'm wondering if you've misread. It seems to me it's an UNrooter. If it encounters a rooted device, it UNroots it to prevent it being force-uninstalled. Meanwhile, it uses exploits of its own (temp-root stuff) to wedge itself in place.

  5. Anonymous Coward
    Anonymous Coward

    "Developers bypassed the store's security checks by uploading a clean app at the end of March. They then updated this with a malicious version for a short period of time before uploading another clean version." So Google does not check the software before making it available for download but posts it immediately, checks it in background when it has some time to spare and removes it if something suspicious is found? I find it hard to believe.

  6. Anonymous Coward
    Anonymous Coward

    Sounds like you need a modified device

    Sideload apps

    Root access

    Surely all bets are off on such an untrusted device?

    1. Christian Berger

      Re: Sounds like you need a modified device

      This was apparently on the Play Store and worked on unmodified devices.

      The problem simply is that sandboxes don't work. They may improve security a bit, if you manage to make them without increasing the complexity a lot, but they don't work against malware. We'd probably be better off with a simpler device which features a "mobile touch terminal" that would connect to remote services without actually executing Turing complete code.

      1. Charles 9

        Re: Sounds like you need a modified device

        That would just move the target, though. At SOME point, if you want the phone to be a mobile data device, you're going to NEED a Turing-complete implementation SOMEWHERE. And YES, I DO find a mobile data device to be very useful for on-the-spot research and so on. I've just come to learn that malware comes with the territory, just as jungles come with beasts, oceans come with sharks, and so on. Of course, I'm still concerned a clueless user takes others with him/her like a Private Snafu.

  7. j0nnyf1v3

    There is malware that jumps VM's and fu*&ing air-gaps... This ain't $h1t.

    Charles 9 is correct. It will use an exploit, usually dirtycow, to temp root for that instance only. It will lock up the device after it does its bidding via kernel panic or OOM event forcing the user to restart the device, thereby effectivly erasing the root yet leaving the code nestled between your /system files and your /data files... Both need root to write to. Anyway that is what I heard from SWIM....

  8. Anonymous Coward
    Anonymous Coward

    Malware available in the App Store

    Security patches delayed or never by vendors

    I don't think I'll be swapping to Android anytime soon

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like