S0420 Dvmap
Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.1
| Item | Value |
|---|---|
| ID | S0420 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 December 2019 |
| Last Modified | 22 January 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1407 | Download New Code at Runtime | Dvmap can download code and binaries from the C2 server to execute on the device as root.1 |
| mobile | T1404 | Exploitation for Privilege Escalation | Dvmap attempts to gain root access by using local exploits.1 |
| mobile | T1625 | Hijack Execution Flow | - |
| mobile | T1625.001 | System Runtime API Hijacking | Dvmap replaces /system/bin/ip with a malicious version. Dvmap can inject code by patching libdmv.so or libandroid_runtime.so, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call /system/bin/ip, which was replaced with the malicious version.1 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.003 | Disable or Modify Tools | Dvmap can turn off VerifyApps, and can grant Device Administrator permissions via commands only, rather than using the UI.1 |
| mobile | T1406 | Obfuscated Files or Information | Dvmap decrypts executables from archive files stored in the assets directory of the installation binary.1 |
| mobile | T1632 | Subvert Trust Controls | - |
| mobile | T1632.001 | Code Signing Policy Modification | Dvmap can enable installation of apps from unknown sources.1 |
| mobile | T1426 | System Information Discovery | Dvmap checks the Android version to determine which system library to patch.1 |