More than 50,000 Android devices have downloaded a strain of Android malware, known as "DvMap", which contains rare abilities to allow hackers and cybercriminals to gain "root" access to a smartphone or tablet and inject malicious code directly into system libraries.
This, as Russia-based security firm Kaspersky Lab said in an analysis this week (8 June), meant the DvMap variant was more sophisticated than most run-of-the-mill malware. The team claimed the discovery may have prevented a "massive and dangerous" future outbreak.
One of the infected applications on the official Google Play Store was called ColourBlock, described as a "challenging, addictive" puzzle game.
The malware was initially observed by the researchers in April this year, was reported to Google on 25 May and finally removed this week (6 June).
"The distribution of rooting malware through Google Play is not a new thing. But Dvmap is very special rooting malware," said Kaspersky malware analyst Roman Unuchek in a blog post.
"The most interesting thing is that it injects malicious code into the system libraries," he added.
Unuchek said DvMap is the "first Android malware that injects malicious code into the system libraries in runtime" and warned its developers found a way to bypass Google's security checks by uploading a clean app, then updating it with malware for a short period of time – and repeat.
The culprits did this process at least five times between 18 April and 15 May, Kaspersky found.
Each malware-ridden application had the same capabilities: it attempts to gain root – or core – rights on the device and then install several "tools" into the system. Then, it checks the Android version installed and overwrites existing code with malicious code with a patch.
The Trojan then puts the patched library into the device's main directory to ensure it runs alongside main system processes. The file can turn off "VerifyApps", Google's main way of scanning software as it's installed, and permit the installation of dodgy apps from third-party sources.
The Trojan uses four different exploit pack files, three for 32-bit systems and one for 64-bit-systems, Kaspersky said.
Unuchek was able to successfully connect to the criminals' command and control (C&C) server but that's as far as current analysis goes.
"I don't know what kind of files will be executed, but they could be malicious or advertising files," he said.
"This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques, including patching system libraries," he continued.
"It looks like its main purpose is to get into the system and execute downloaded files with root rights. I think the authors are still testing this malware, because they use some techniques which can break the infected devices. They already have a lot of infected users [...] to test their methods.
"But I hope that by uncovering this malware at such an early stage, we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods."