The malware, dubbed Dvmap, was disguised as a game that had been downloaded more than 50,000 times before its removal.
According to Kaspersky security analysts, to bypass the Google Play Store’s security checks, the malware creators uploaded a clean app to the store at the end of March. They then updated this with a malicious version for a short period of time, before uploading another clean version. In the space of four weeks they did this at least five times.
The Dvmap Trojan installs itself in a victim’s device in two stages. During the initial phase, it tries to gain root rights on the device. If successful, it installs a number of tools, some of which carry comments in the Chinese language.
In the main phase of infection, the Trojan launches a “start” file, checks the version of Android installed and decides which library to inject its code into. Then it overwrites the existing code with malicious code, causing the infected device to crash.
The newly-patched system libraries execute a malicious module which can turn off the ‘VerifyApps’ feature. It then switches on the setting ‘Unknown sources’ which allows it to install apps from anywhere, not just the Google Play Store.
“The Dvmap Trojan marks a dangerous new development in Android malware, with the malicious code injecting itself into system libraries where it is harder to detect and remove,” Roman Unuchek, senior malware analyst at Kaspersky Lab, said.
“Users who don’t have the security in place to identify and block the threat before it breaks in have a difficult time ahead.”
Users concerned they may have been infected by Dvmap are advised to back up all their data and perform a factory data reset.
Kaspersky also advises all users to install a reliable security solution on their device, always check that apps have been created by a reputable developer, keep their OS and application software up-to-date, and not download anything that looks suspicious or whose source cannot be verified.