{ "id": "0111d0be-f594-4043-8a9e-db1911bf4243", "created_at": "2026-04-06T01:31:17.259665Z", "updated_at": "2026-04-10T03:30:33.722886Z", "deleted_at": null, "sha1_hash": "9d41fabb9afa2b01d89dcd3005e6eaec47415614", "title": "Dvmap: the first Android malware with code injection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 127717, "plain_text": "Dvmap: the first Android malware with code injection\r\nBy Roman Unuchek\r\nPublished: 2017-06-08 · Archived: 2026-04-06 00:09:20 UTC\r\nIn April 2017 we started observing new rooting malware being distributed through the Google Play Store.\r\nUnlike other rooting malware, this Trojan not only installs its modules into the system, it also injects\r\nmalicious code into the system runtime libraries. Kaspersky Lab products detect it as\r\nTrojan.AndroidOS.Dvmap.a.\r\nThe distribution of rooting malware through Google Play is not a new thing. For example, the Ztorg Trojan has\r\nbeen uploaded to Google Play almost 100 times since September 2016. But Dvmap is very special rooting\r\nmalware. It uses a variety of new techniques, but the most interesting thing is that it injects malicious code into the\r\nsystem libraries – libdmv.so or libandroid_runtime.so.\r\nThis makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime, and\r\nit has been downloaded from the Google Play Store more than 50,000 times. Kaspersky Lab reported the Trojan to\r\nGoogle, and it has now been removed from the store.\r\nhttps://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/\r\nPage 1 of 5\n\nTrojan.AndroidOS.Dvmap.a on Google Play\r\nTo bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded\r\na clean app to the store at the end of March, 2017, and would then update it with a malicious version for short\r\nperiod of time. Usually they would upload a clean version back on Google Play the very same day. They did this\r\nat least 5 times between 18 April and 15 May.\r\nAll the malicious Dvmap apps had the same functionality. They decrypt several archive files from the assets folder\r\nof the installation package, and launch an executable file from them with the name “start.”\r\nhttps://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/\r\nPage 2 of 5\n\nEncrypted archives in the assets folder\r\nThe interesting thing is that the Trojan supports even the 64-bit version of Android, which is very rare.\r\nPart of code where the Trojan chooses between 32-bit and 64-bit compatible files\r\nAll encrypted archives can be divided into two groups: the first comprises Game321.res, Game322.res,\r\nGame323.res and Game642.res – and these are used in the initial phase of infection, while the second group:\r\nGame324.res and Game644.res, are used in the main phase.\r\nInitial phase\r\nDuring this phase, the Trojan tries to gain root rights on the device and to install some modules. All archives from\r\nthis phase contain the same files except for one called “common”. This is a local root exploit pack, and the Trojan\r\nuses 4 different exploit pack files, 3 for 32-bit systems and 1 for 64-bit-systems. If these files successfully gain\r\nroot rights, the Trojan will install several tools into the system. It will also install the malicious app\r\n“com.qualcmm.timeservices.”\r\nThese archives contain the file “.root.sh” which has some comments in Chinese:\r\nhttps://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/\r\nPage 3 of 5\n\nPart of .root.sh file\r\nMain phase\r\nIn this phase, the Trojan launches the “start” file from Game324.res or Game644.res. It will check the version of\r\nAndroid installed and decide which library should be patched. For Android 4.4.4 and older, the Trojan will patch\r\nmethod _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so, and for Android 5 and newer it will patch\r\nmethod nativeForkAndSpecialize from libandroid_runtime.so. Both of these libraries are runtime libraries related\r\nto Dalvik and ART runtime environments. Before patching, the Trojan will backup the original library with a\r\nname bak_{original name}.\r\nPatched libdvm.so\r\nDuring patching, the Trojan will overwrite the existing code with malicious code so that all it can do is execute\r\n/system/bin/ip. This could be very dangerous and cause some devices to crash following the overwrite. Then the\r\nTrojan will put the patched library back into the system directory. After that, the Trojan will replace the original\r\n/system/bin/ip with a malicious one from the archive (Game324.res or Game644.res). In doing so, the Trojan can\r\nbe sure that its malicious module will be executed with system rights. But the malicious ip file does not contain\r\nhttps://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/\r\nPage 4 of 5\n\nany methods from the original ip file. This means that all apps that were using this file will lose some functionality\r\nor even start crashing.\r\nMalicious module “ip”\r\nThis file will be executed by the patched system library. It can turn off “VerifyApps” and enable the installation of\r\napps from 3rd party stores by changing system settings. Furthermore, it can grant the “com.qualcmm.timeservices”\r\napp Device Administrator rights without any interaction with the user, just by running commands. It is a very\r\nunusual way to get Device Administrator rights.\r\nAs I mentioned before, in the “initial phase”, the Trojan will install the “com.qualcmm.timeservices” app. Its main\r\npurpose is to download archives and execute the “start” binary from them. During the investigation, this app was\r\nable to successfully connect to the command and control server, but it received no commands. So I don’t know\r\nwhat kind of files will be executed, but they could be malicious or advertising files.\r\nConclusions\r\nThis Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques,\r\nincluding patching system libraries. It installs malicious modules with different functionality into the system. It\r\nlooks like its main purpose is to get into the system and execute downloaded files with root rights. But I never\r\nreceived such files from their command and control server.\r\nThese malicious modules report to the attackers about every step they are going to make. So I think that the\r\nauthors are still testing this malware, because they use some techniques which can break the infected devices. But\r\nthey already have a lot of infected users on whom to test their methods.\r\nI hope that by uncovering this malware at such an early stage, we will be able to prevent a massive and dangerous\r\nattack when the attackers are ready to actively use their methods.\r\nMD5\r\n43680D1914F28E14C90436E1D42984E2\r\n20D4B9EB9377C499917C4D69BF4CCEBE\r\nSource: https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/\r\nhttps://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" ], "report_names": [ "78648" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439077, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d41fabb9afa2b01d89dcd3005e6eaec47415614.pdf", "text": "https://archive.orkl.eu/9d41fabb9afa2b01d89dcd3005e6eaec47415614.txt", "img": "https://archive.orkl.eu/9d41fabb9afa2b01d89dcd3005e6eaec47415614.jpg" } }