Dvmap: Android malware

Original Issue Date:- June 09, 2017
Type:- Trojan
Severity:- Low

It has been reported that a malware named as “Dvmap” affecting android devices was spreading. The malware is capable of rooting the infected android devices and thereafter inject its own malicious code in to the system routine libraries – libdmv.so or libandroid_runtime.so. Dvmap Trojan works on 32-bit and 64-bit versions of Android, once installed it attempts to gain root access on the device and tries to install several modules on the system. The malware spreads by means of apps hosted on Google Play Store. This malicious apps is now removed from the Google Play Store.

To bypass Google Play Store security checks, the malware authors first uploaded a clean app to the store later updated with the malicious version for short period of time. It has been reported that the authors upload the clean version back on Google Play at the end of same day. This practice was observed several times during April-May.

The malicious Dvmap apps decrypt several archive files from the assets folder of the installation package and launch an executable file from them with the name “start".

The archives are used in phases, initial phase of infection uses Game321.res, Game322.res, Game323.res & Game642.res and the main phase of infection uses Game324.res and Game644.res archive assets.

In the initial phase, the Trojan tries to gain root privileges on the android device and installs some modules. If these files successfully gain root privileges, the Trojan will then install several tools into the android system along with the malicious app “com.qualcmm.timeservices”.

During Main phase, the Trojan launches the “start” file from Game324.res or Game644.res. The trojan will check the version of Android installed and decides suitable library for patch.

The Trojan will replace the original "/system/bin/ip" with a malicious one from the archive (Game324.res or Game644.res) to make sure that the malicious modules of trojan get executed with system rights. This file "/system/bin/ip" will be executed by the patched system library to turn off “VerifyApps” and enable the installation of apps from third party stores by changing system settings. It can grant Administrator rights to the app “com.qualcmm.timeservices” without any interaction with the user.

The app “com.qualcmm.timeservices” downloads further archives and execute the “start” binary from them. This app could launch other malicious apps or advertisements files.

MD5 checksum of malicious apps



  • Prior to downloading / installing apps on android devices (even from Google Play Store):
    • Alwars review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
    • Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
  • Install and maintain updated antivirus solution on android devices.
  • Scan the suspected device with antivirus solutions to detect and clean infections.
  • If the device is infected un-install malicious app.
  • Maintain regular backup of device.
  • Do not download and install applications from untrusted sources. Install applications downloaded from reputed application market only.
  • Do not click on banners or popup or ads notifications.
  • Turn on 2-factor authentication for your Google/other account.
  • Run a full system scan on device with mobile security solution or mobile antivirus solution.
  • Install Android updates and patches as and when available from Android device vendors.
  • Use device encryption or encrypting external SD card feature available with most of the android OS.
  • Users are advised to monitor device battery usage and Data usage including application wise usage.
  • Use Android Device Manager to locate, remotely lock, or erase your device.
  • Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
  • Refer to security tips for mobile Phone: