The Dirty COW vulnerability was discovered by the security expert Phil Oester in October 2016, it could be exploited by a local attacker to escalate privileges.
The name ‘Dirty COW’ is due to the fact that it’s triggered by a race condition in the way the Linux kernel memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
The flaw affects Android devices as well, for this reason, Google issued a security patch for its mobile OS in December, as part of its monthly set of security updates.
Researchers with Trend Micro revealed in early December that the flaw can be exploited by attackers is many ways to write malicious code directly into processes.
Back to the present, Trend Micro discovered the first malware family that exploits the Dirty COW flaw on the Android platform.
“Almost a year later, Trend Micro researchers captured samples of ZNIU (detected as AndroidOS_ZNIU)—the first malware family to exploit the vulnerability on the Android platform.” reads the analysis published by Trend Micro.
“The ZNIU malware was detected in more than 40 countries last month,”
The infections spread across more than 40 countries last month, 5,000 users have been already infected by the ZNIU malware, most of the attacks have been observed in China and India, followed by the U.S., Japan, Canada, Germany, and Indonesia.
The experts discovered more than 1,200 malicious apps that carry ZNIU in malicious websites, the applications include a rootkit that exploits Dirty COW.
According to the experts, the malicious code only works on Android devices based on ARM/X86 64-bit architecture. The exploit is able to bypass SELinux and establish a root backdoor.
“We worked on a Proof-of-Concept (PoC) for Dirty COW last year and found out that all versions of the Android OS were susceptible to exploitation, while ZNIU’s leveraging of Dirty COW only works on Android devices with ARM/X86 64-bit architecture. However, this recent exploit can bypass SELinux and plant a root backdoor, while the PoC can only modify the service code of the system.” continues the analysis.
“We monitored six ZNIU rootkits, four of which were Dirty COW exploits. The other two were KingoRoot, a rooting app, and the Iovyroot exploit (CVE-2015-1805). ZNIU used KingoRoot and Iovyroot because they can root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot.”
The malicious code is concealed behind an apparent porn app that once installed contact the C&C server to updates itself. The malware fetches the appropriate rootkits from the C&C server, use the exploit to escalate privileges and establish a backdoor.
The domain and command and control server used by the ZNIU malware is located in China.
ZNIU harvest the carrier information and starts interacting with the carrier through a SMS-enabled payment service. The malware operators collect money through the carrier’s payment service, this specific service leveraging on SMS transactions is available only with carriers in China. This means that the malware would not be effective outside the country.
“In one of our samples, we saw in its code that payments were directed to a dummy company, which, based on network traffic, we were able to locate in a city in China censored in the picture below. When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator,” states Trend Micro.
As usual, to stay safe install only apps from the Google Play or trusted third-party app stores, and use mobile security solutions
(Security Affairs – Dirty COW, ZNIU Android malware)