Skip to content

S0420 Dvmap

Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.1

Item Value
ID S0420
Associated Names
Version 1.0
Created 10 December 2019
Last Modified 22 January 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1407 Download New Code at Runtime Dvmap can download code and binaries from the C2 server to execute on the device as root.1
mobile T1404 Exploitation for Privilege Escalation Dvmap attempts to gain root access by using local exploits.1
mobile T1625 Hijack Execution Flow -
mobile T1625.001 System Runtime API Hijacking Dvmap replaces /system/bin/ip with a malicious version. Dvmap can inject code by patching or, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call /system/bin/ip, which was replaced with the malicious version.1
mobile T1629 Impair Defenses -
mobile T1629.003 Disable or Modify Tools Dvmap can turn off VerifyApps, and can grant Device Administrator permissions via commands only, rather than using the UI.1
mobile T1406 Obfuscated Files or Information Dvmap decrypts executables from archive files stored in the assets directory of the installation binary.1
mobile T1632 Subvert Trust Controls -
mobile T1632.001 Code Signing Policy Modification Dvmap can enable installation of apps from unknown sources.1
mobile T1426 System Information Discovery Dvmap checks the Android version to determine which system library to patch.1