Dvmap could become the first true Android virus

Dvmap could become the first true Android virus

It's finally happened: Android malware is now old hat, as the first true Android virus is in the works. The malware Dvmap has mastered the process of code injection and could thus be used as part of a big attack. Kaspersky Labs has analyzed the first findings and explained how this malware can spread, despite the Play Store's safety mechanisms.

Kaspersky has been monitoring the distribution of a Trojan horse in the Play Store since April 2017. Dvmap was able to hide from Google's protection and verification mechanisms by regularly swapping clean code with malicious code and vice versa. Now we know the Bouncers, introduced in 2012 to keep malware from the Play Store, can be tricked easily.

The malware, classified by Kaspersky Labs as Trojan.AndroidOS.Dvmap.a is, according to experts, a particularly tricky form of Trojan horse. Not only does the software try to gain root privileges in four different ways, even with 64-bit compatible code, it also injects malicious code into system libraries libdmv.so and libandroid_runtime.so.

Subsequently, the Trojan triggers protection mechanisms to verify and install third-party apps. This is done by an administrator service called com.qualcmm.timeservices, which looks similar to a legitimate background service like com.qualcomm.timeservices.

kaspersky dvmap
At certain points in time, the app was clean. At other times, it was infected. / © Kaspersky Labs

Since the malware could install third-party software on infected devices at a later date, the author of the malware could offer this ability on the black market to anyone interested. So far, only a maximum of 50,000 affected devices are mentioned, but due to the fact that the malware is very difficult to detect, a considerably higher number could possibly be infected.

Theoretically, Google is able to delete harmful apps remotely from your device. But, since the malware manipulates system libraries, it may be able to prevent this or report the uninstallation immediately to the malware's author. The author could then install a revised version of the malware under a different name and escape the protection mechanism once more.

Only formatting the system partition and re-installing the original firmware can remedy an affected smartphone. Most lay people wouldn't be able to do this themselves, so they would have to turn to a service for help.

The only way to prevent infection, generally, is to have the most recent security patches. But, these are unfortunately only available to a small number of users. Many manufacturers deliver security patches with considerable delay or not at all, since implementation can be expensive and they fear customers won't buy a new phone if their current one still gets updates.


Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • julie Jun 24, 2017 Link to comment

    Much thanks for the info. Over a yr ago i installed Wallapop n it destroyed my sd card n my s3. Just recently i installed remote for firestick n i swear it was corrupt cuz it screwed up my almost 8 mo old fone. i had to factory reset. i have Lookout but i wish there were better antivirus options. I dont trust apps anymore.

  • Chris Aldridge Jun 13, 2017 Link to comment

    Not sure from this article if just rooted devices affected, or unrooted devices at risk as well...