Dvmap

Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.^[1]

ID: S0420

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 10 December 2019

Last Modified: 22 January 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1407		Download New Code at Runtime	Dvmap can download code and binaries from the C2 server to execute on the device as root.^[1]
Mobile	T1404		Exploitation for Privilege Escalation	Dvmap attempts to gain root access by using local exploits.^[1]
Mobile	T1625	.001	Hijack Execution Flow: System Runtime API Hijacking	Dvmap replaces `/system/bin/ip` with a malicious version. Dvmap can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.^[1]
Mobile	T1629	.003	Impair Defenses: Disable or Modify Tools	Dvmap can turn off `VerifyApps`, and can grant Device Administrator permissions via commands only, rather than using the UI.^[1]
Mobile	T1406		Obfuscated Files or Information	Dvmap decrypts executables from archive files stored in the `assets` directory of the installation binary.^[1]
Mobile	T1632	.001	Subvert Trust Controls: Code Signing Policy Modification	Dvmap can enable installation of apps from unknown sources.^[1]
Mobile	T1426		System Information Discovery	Dvmap checks the Android version to determine which system library to patch.^[1]

References

R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.

Dvmap

Mobile Layer

Techniques Used

References