Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Android Malware Exploits Dirty COW Vulnerability

A recently discovered piece of Android malware is exploiting the infamous “Dirty COW Linux vulnerability discover

A recently discovered piece of Android malware is exploiting the infamous “Dirty COW Linux vulnerability discovered nearly a year ago, Trend Micro researchers warn.

Dubbed ZNIU, the malware attempts to exploit Dirty COW, which was disclosed in October 2016. The issue is caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

Tracked as CVE-2016-5195, the vulnerability was found to affect Android devices as well, and Google released a patch for Google devices in December, as part of its monthly set of security updates.

While all Android devices running a security patch level of 2016-11-06 are safe from Dirty COW, Trend Micro revealed in early December that the vulnerability can be leveraged to write malicious code directly into processes. They also said that the flaw can be triggered in a manner different from previously observed attacks.

Now, the security firm claims to have discovered “the first malware family to exploit the vulnerability on the Android platform,” namely ZNIU. Observed in attacks in over 40 countries last month, the threat appears mainly focused on China and India.

The researchers say that over 5,000 users have been already infected with the malware, and that the U.S., Japan, Canada, Germany, and Indonesia are among the affected countries. They also reveal that “more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW.”

The exploit code only works on Android devices with ARM/X86 64-bit architecture, but was designed to bypass SELinux and plant a root backdoor. Four out of six ZNIU rootkits the researchers have been keeping an eye on were Dirty COW exploits, while the other two were KingoRoot and Iovyroot (they can root ARM 32-bit CPU devices).

The malware usually masquerades as a porn app. Once installed, it establishes communication with the command and control (C&C) server and updates itself if a new version is available. It also fetches the appropriate rootkits from the remote server and uses them to escalate privileges and plant a backdoor for potential remote control attacks.

The malware was found to use encryption when communicating with the server. The researchers determined that the domain and server host is located in China.

ZNIU collects the carrier information of the device and starts interacting with the carrier through an SMS-enabled payment service. Thus, the malware operators collect money through the carrier’s payment service. However, such SMS transactions are possible only with carriers in China, meaning that, on devices outside the country, the malware would only install the backdoor.

“In one of our samples, we saw in its code that payments were directed to a dummy company, which, based on network traffic, we were able to locate in a city in China censored in the picture below. When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator,” the researchers say.

Related: Researchers Devise New Dirty COW Attack Against Android

Related: Android Root Exploits Abuse Dirty COW Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.