Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Android Root Exploits Abuse Dirty COW Vulnerability

The “Dirty COW” Linux kernel vulnerability that was publicly disclosed last week can be leveraged to achieve root privileges on Android devices, security researchers reveal.

The “Dirty COW” Linux kernel vulnerability that was publicly disclosed last week can be leveraged to achieve root privileges on Android devices, security researchers reveal.

The security flaw was dubbed Dirty COW because it is caused by a race condition in the manner in which the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. Tracked as CVE-2016-5195, the bug can be exploited by a local attacker to escalate privileges by modifying existing setuid files.

Last week Red Hat said that the vulnerability was important and that an exploit leveraging it was already used in the wild. A fix for the Linux kernel was released on October 13, and Linux distributions have started releasing updates.

By altering the copy-on-write cache provided by the kernel, an attacker changes what the system and apps see when reading the affected files (they modify the contents in memory of any file readable and mapable by the user). The flaw can be used to modify almost any file, even if the partition is mounted as read-only, but, because the change only affects the cache in memory, it won’t persist after reboot.

However, the flaw can be exploited to gain root privileges and compromise an entire system, and all devices running a Linux kernel higher than 2.6.22 are most probably affected by this, NowSecure researchers say. According to them, all devices running a vulnerable version of Android, regardless of the manufacturer, can be compromised through this flaw if they haven’t been patched.

To exploit the vulnerability, however, an attacker needs to run code on the affected device, which can be done via the Android Debug Bridge (ADB) over USB or by installing an app that makes use of the exploit. Because this is a local vulnerability, users can protect themselves by avoiding installing software from unknown sources.

NowSecure has released a plugin that takes advantage of the Dirty COW vulnerability, but they are not the only ones to have done so. Others also came up with working exploits for this security flaw on Android, allowing users to easily get persistent root access.

Advertisement. Scroll to continue reading.

While many people can use these exploits to bypass the limitations imposed by manufacturers or carriers, the vulnerability could also be abused by malicious applications to compromise devices. Many of the Android malware families out there rely on root access not only to perform nefarious operations, but also to improve resilience and hinder removal operations.

Related: “Dirty COW” Linux Kernel Exploit Seen in the Wild

Related: ‘Godless’ Android Malware Uses Multiple Rooting Exploits

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.