Google's security team removed an Android app named "colourblock" from the official Play Store after security researchers from Kaspersky Labs discovered a dangerous trojan hidden inside it.
At the time it was removed the app had been downloaded over 50,000 times. This is a low number compared to other trojans, but this is because the app was uploaded on the Play Store only recently, in March 2017.
According to Kaspersky security analyst Roman Unuchek, the initial version of this app was clean and didn't contain any malicious functionality.
Things changed between 18 April and 15 May, when the app's creators updated colourblock at least five different times, switching the clean app with a malicious version, leaving the malicious app on the Play Store, and restoring the clean version after a day.
These five small bursts of malicious updates spread a trojan to the users who updated colourblock during those short time windows when the app was tainted with malicious code.
According to Unuchek, the app spread a new trojan, not seen before in other infections. The expert says this new trojan — which he named DVMap — contained four exploit packages that it used in an attempt to root the user's device.
Three of these exploit packages targeted Android devices running on 32-bit systems, while the fourth targeted devices on 64-bit platforms.
If the trojan managed to execute these rooting packages, the trojan would get root privileges, which it would later use to tamper with core system files belonging to the Android operating system itself.
This is not the first time security experts have discovered an Android trojan that tampers with Android core system files. Last year, Dr.Web researchers came across the Android Loki trojan, which also used four exploits to gain root privileges and inject itself into the Android system_server process.
On the other hand, DVMap injected itself into the libdvm.so process (for devices running Android 4.4.4 and older) or libandroid_runtime.so process (for devices running Android 5 or older).
Unuchek says the DVMap trojan contains code that allows it to turn off "VerifyApps," a powerful Google security feature built into all Android devices that can detect malicious Android apps.
With this feature disabled, the DVMap trojan is then free to install third-party apps on the user's device, without VerifyApps alerting the user of any dangers.
Fortunately, the DVMap trojan appeared to be in a development stage, and it's C&C server never sent any malicious instructions or apps to the devices Unuchek willfully infected with this malware to test and monitor its behavior.