Trojan found hiding in the Google Play Store – here’s how it got there

Share on facebook
Share on twitter
Share on linkedin
Share on email

Researchers at Kaspersky Lab have discovered a new form of malware that was distributed to Android users via Google’s Play Store.

The malware is a Trojan known as Dvmap. Some of you reading this will be scratching your head as to how malware was able to get onto the Play Store in the first place.

As you may know, Google regularly monitors the platform for threats but the distributors of Dvmap knew that as well.

Google scans 6 billion Android apps for threats everyday

“To bypass the store’s security checks, the malware creators uploaded a clean app to the store at the end of March, 2017. They then updated this with a malicious version for a short period of time, before uploading another clean version. In the space of four weeks they did this at least five times,” Kaspersky’s researchers say.

Using this distribution method, Kaspersky suspects that malware was downloaded more than 50 000 times since it first appeared in March.

What does Dvmap do?

Once installed Dvmap deleted root access which makes it harder for security solutions to detect that the system has been compromised if they are installed after the attack.

Once Dvmap is installed an attacker can send commands via a command server though Kaspersky says it never observed commands being sent from this server but rather noticed the malware sending every move it made to it.

“Modification of the system libraries is a risky process that can misfire. The researchers observed that the Dvmap malware tracks and reports its every move to its command and control server – although the command server didn’t respond with instructions. This suggests that the malware is not yet fully ready or implemented,” said Kaspersky.

“It looks like its [Dvmaps] main purpose is to get into the system and execute downloaded files with root rights. But I never received such files from their command and control server,” senior malware analyst at Kaspersky Lab Roman Unuchek wrote in a blog.

What to do if you think you are infected

The trojan has been removed from the Google Play Store. According to Unuchek’s blog, the malware appears to have been delivered through a game called colourblock.

If you happen to have downloaded that app and you didn’t have an anti-virus installed your only choice is to create a back-up of your data and perform a factory data reset on your phone or tablet.

This is a rather new attack vector and the fact that it removes root access is terribly concerning. In light of that we urge you to download an antivirus through the Google Play Store. We recommend either Avast Mobile Security and Antivirus or Kaspersky Antivirus both of which are free.

[Image – CC 0 Public Domain Pixabay]

Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.