25 June 2017
In the train back from Berlin last week I had the opportunity to go through my reading list. The news about Dvmap, an Android malware which code injection capabilities, caught my attention.
Kaspersky’s Roman Unuchek published a great post in the Kaspersky Lab Securelist blog on 8 June 2017 about Dvmap. Dvmap is hidden in the app colourblock which was downloaded more than 50.000 times from the Google Play Store. Google removed the app from the Play Store by now.
Dvmap injects malicious code into the Android system libraries at runtime and deactivates security features of the OS. It is capable to downloading extensions from a C&C Server. In addition, the attackers used some clever method to bypass the security features of the Play Store.
To inject code in system libraries at runtime on Linux-based operating systems root privileges are required. And this is what Dvmap tries at first. Since the standard user does not work as root, the trojan must use existing, unpatched vulnerabilities to gain root rights.
| Support | Codename | Android Version | Linux Kernel | Distribution |
| No | Gingerbread | 2.3.x | 2.6.35 | 0,80% |
| No | Ice Cream Sandwich | 4.0.x | 3.0.1 | 0,80% |
| No | Jelly Bean | 4.1.x | 3.0.31 | 3,10% |
| No | Jelly Bean | 4.2.x | 3.4.0 | 4,40% |
| No | Jelly Bean | 4.3 | 3.4.39 | 1,30% |
| Yes | KitKat | 4.4 | 3.10 | 18,10% |
| Yes | Lollipop | 5.0 | 3.16.1 | 8,20% |
| Yes | Lollipop | 5.1 | 3.16.1 | 22,60% |
| Yes | Marshmallow | 6.0 | 3.10 | 31,20% |
| Yes | Nougat | 7.0 | 4.4.1 | 8,90% |
| Yes | Nougat | 7.1 | 4.4.1 | 0,60% |
(Data collected during a 7-day period ending on June 5, 2017. Any versions with less than 0.1% distribution are not shown. Source: Android Dashboards at Android Developers.com)
The above table shows that 89.6 percent of the Android devices which downloaded software from the Google Play Store run Android versions which are supported by Google. Sounds good.
Unfortunately, Google delivers patches to their partners for further distribution to the consumers. And this is where the trouble begins.
In post ‘Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review’ published on 22 March 2017 in the Google Security Blog one reads:
We provided monthly security updates for all supported Pixel and Nexus devices throughout 2016, and we’re thrilled to see our partners invest significantly in regular updates as well. There’s still a lot of room for improvement, however. About half of devices in use at the end of 2016 had not received a platform security update in the previous year.
With this, about 55% of the devices which downloaded software from the Google Play Store in June 2017 were vulnerable e.g. against Dirty Cow (CVE-2016-5195), a nine-year-old bug in the Linux kernel that was detected in October 2016. Since all Linux kernel from 2.x through 4.x before 4.8.3 were affected, nearly all Android version are affected as well.
From the Android Security Review 2016 we learn that “More than 735 million devices from 200+ manufacturers received a platform security update in 2016”. With this, about 360 million devices are vulnerable to Dirty Cow and Dvmap today.
Google’s partners “invested significantly in regular security updates in the past years”, but sadly not enough. Enterprise customers with an MDM solution like Airwatch in place can take this risk. The consumers foot the bill. Who cares?
Have a great week!
IT Security Matters 