Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.^[1]

ID: S0420

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 10 December 2019

Last Modified: 22 January 2020

Techniques Used

Domain	ID	Name	Use
Mobile	T1475	Deliver Malicious App via Authorized App Store	Dvmap was delivered via the Google Play Store. It evaded Google Play Store checks by uploading a clean application, and replacing it with a malicious version for a short period of time. This occurred at least 5 times in a one month period.^[1]
Mobile	T1407	Download New Code at Runtime	Dvmap can download code and binaries from the C2 server to execute on the device as root.^[1]
Mobile	T1404	Exploit OS Vulnerability	Dvmap attempts to gain root access by using local exploits.^[1]
Mobile	T1478	Install Insecure or Malicious Configuration	Dvmap can enable installation of apps from unknown sources, turn off `VerifyApps`, and can grant Device Administrator permissions via commands only, rather than using the UI.^[1]
Mobile	T1400	Modify System Partition	Dvmap replaces `/system/bin/ip` with a malicious version. Dvmap can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.^[1]
Mobile	T1406	Obfuscated Files or Information	Dvmap decrypts executables from archive files stored in the `assets` directory of the installation binary.^[1]
Mobile	T1426	System Information Discovery	Dvmap checks the Android version to determine which system library to patch.^[1]

References

R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.

Dvmap

Mobile Layer

Techniques Used

References