Every week or so, there’s a new form of Android malware discovered that works in a unique way from what’s come before. Fortunately, in most cases, Google and third-party security experts identify the offenders before they do any serious damage. Kaspersky has just discovered one such Trojan, called Dvmap, located in an unassuming game on the Google Play Store called Colourblock with an unprecedented tactic — it injects code into the Android system library.
According to Kaspersky, this is the first example of malware on the operating system with that capability. Colourblock has reportedly been downloaded over 50,000 times, though Google took the game down after Kaspersky brought it to the company’s attention.
The danger of malware that overwrites contents in the system library in this particular instance is that it can disable Android’s Verify Apps function, allowing free, unchecked installation of downloaded software without the user’s knowledge or approval. By replacing the library, the Dvmap Trojan also eliminates key services that many apps rely on to operate properly. This means normally stable apps could very well start crashing your device.
Dvmap even deletes root access to cover its tracks. That’s particularly dangerous for apps dealing with sensitive information that rely on root detection to operate securely, like banking apps.
Kaspersky’s Roman Unuchek noted in his analysis that although the Trojan possessed the ability to download and execute files, it never received any commands during his investigation. This could mean that the developers are still expanding their reach and testing their methods before launching the full attack.
Interestingly, Colourblock has been able to sidestep action from Google and remain under the radar because the developers have been regularly “updating” the app by releasing a mix of clean and malicious versions. The first release was clean, but was then replaced with another containing Dvmap after a short period of time. That version was switched out with another clean app, and then again with an infected one. Kaspersky says the developers had performed the switcheroo at least five times between April and May.