A recently discovered piece of Android malware is exploiting the infamous “Dirty COW“ Linux vulnerability discovered nearly a year ago, Trend Micro researchers warn.
Dubbed ZNIU, the malware attempts to exploit Dirty COW, which was disclosed in October 2016. The issue is caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
While all Android devices running a security patch level of 2016-11-06 are safe from Dirty COW, Trend Micro revealed in early December that the vulnerability can be leveraged to write malicious code directly into processes. They also said that the flaw can be triggered in a manner different from previously observed attacks.
Now, the security firm claims to have discovered “the first malware family to exploit the vulnerability on the Android platform,” namely ZNIU. Observed in attacks in over 40 countries last month, the threat appears mainly focused on China and India.
The researchers say that over 5,000 users have been already infected with the malware, and that the U.S., Japan, Canada, Germany, and Indonesia are among the affected countries. They also reveal that “more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW.”
The exploit code only works on Android devices with ARM/X86 64-bit architecture, but was designed to bypass SELinux and plant a root backdoor. Four out of six ZNIU rootkits the researchers have been keeping an eye on were Dirty COW exploits, while the other two were KingoRoot and Iovyroot (they can root ARM 32-bit CPU devices).
The malware usually masquerades as a porn app. Once installed, it establishes communication with the command and control (C&C) server and updates itself if a new version is available. It also fetches the appropriate rootkits from the remote server and uses them to escalate privileges and plant a backdoor for potential remote control attacks.
The malware was found to use encryption when communicating with the server. The researchers determined that the domain and server host is located in China.
ZNIU collects the carrier information of the device and starts interacting with the carrier through an SMS-enabled payment service. Thus, the malware operators collect money through the carrier’s payment service. However, such SMS transactions are possible only with carriers in China, meaning that, on devices outside the country, the malware would only install the backdoor.
“In one of our samples, we saw in its code that payments were directed to a dummy company, which, based on network traffic, we were able to locate in a city in China censored in the picture below. When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator,” the researchers say.