Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.[1]

ID: S0420
Platforms: Android
Version: 1.0
Created: 10 December 2019
Last Modified: 22 January 2020

Techniques Used

Domain ID Name Use
Mobile T1475 Deliver Malicious App via Authorized App Store

Dvmap was delivered via the Google Play Store. It evaded Google Play Store checks by uploading a clean application, and replacing it with a malicious version for a short period of time. This occurred at least 5 times in a one month period.[1]

Mobile T1407 Download New Code at Runtime

Dvmap can download code and binaries from the C2 server to execute on the device as root.[1]

Mobile T1404 Exploit OS Vulnerability

Dvmap attempts to gain root access by using local exploits.[1]

Mobile T1478 Install Insecure or Malicious Configuration

Dvmap can enable installation of apps from unknown sources, turn off VerifyApps, and can grant Device Administrator permissions via commands only, rather than using the UI.[1]

Mobile T1400 Modify System Partition

Dvmap replaces /system/bin/ip with a malicious version. Dvmap can inject code by patching libdmv.so or libandroid_runtime.so, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call /system/bin/ip, which was replaced with the malicious version.[1]

Mobile T1406 Obfuscated Files or Information

Dvmap decrypts executables from archive files stored in the assets directory of the installation binary.[1]

Mobile T1426 System Information Discovery

Dvmap checks the Android version to determine which system library to patch.[1]