S0420 Dvmap
Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.1
| Item | Value |
|---|---|
| ID | S0420 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 December 2019 |
| Last Modified | 22 January 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1475 | Deliver Malicious App via Authorized App Store | Dvmap was delivered via the Google Play Store. It evaded Google Play Store checks by uploading a clean application, and replacing it with a malicious version for a short period of time. This occurred at least 5 times in a one month period.1 |
| mobile | T1407 | Download New Code at Runtime | Dvmap can download code and binaries from the C2 server to execute on the device as root.1 |
| mobile | T1404 | Exploit OS Vulnerability | Dvmap attempts to gain root access by using local exploits.1 |
| mobile | T1478 | Install Insecure or Malicious Configuration | Dvmap can enable installation of apps from unknown sources, turn off VerifyApps, and can grant Device Administrator permissions via commands only, rather than using the UI.1 |
| mobile | T1400 | Modify System Partition | Dvmap replaces /system/bin/ip with a malicious version. Dvmap can inject code by patching libdmv.so or libandroid_runtime.so, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call /system/bin/ip, which was replaced with the malicious version.1 |
| mobile | T1406 | Obfuscated Files or Information | Dvmap decrypts executables from archive files stored in the assets directory of the installation binary.1 |
| mobile | T1426 | System Information Discovery | Dvmap checks the Android version to determine which system library to patch.1 |