Skip to content

S0420 Dvmap

Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.1

Item Value
ID S0420
Associated Names
Version 1.0
Created 10 December 2019
Last Modified 22 January 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1475 Deliver Malicious App via Authorized App Store Dvmap was delivered via the Google Play Store. It evaded Google Play Store checks by uploading a clean application, and replacing it with a malicious version for a short period of time. This occurred at least 5 times in a one month period.1
mobile T1407 Download New Code at Runtime Dvmap can download code and binaries from the C2 server to execute on the device as root.1
mobile T1404 Exploit OS Vulnerability Dvmap attempts to gain root access by using local exploits.1
mobile T1478 Install Insecure or Malicious Configuration Dvmap can enable installation of apps from unknown sources, turn off VerifyApps, and can grant Device Administrator permissions via commands only, rather than using the UI.1
mobile T1400 Modify System Partition Dvmap replaces /system/bin/ip with a malicious version. Dvmap can inject code by patching or, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call /system/bin/ip, which was replaced with the malicious version.1
mobile T1406 Obfuscated Files or Information Dvmap decrypts executables from archive files stored in the assets directory of the installation binary.1
mobile T1426 System Information Discovery Dvmap checks the Android version to determine which system library to patch.1


Back to top