Security researchers have discovered the first instance of Dirty COW vulnerability exploitation spotted in an Android malware. The Dirty COW flaw was dubbed so as it is an acronym for the duplication technique called copy-on-write, and could potentially give root access of a device to the attacker within a matter of seconds. Google late last year claimed to have fixed the issue linked to Linux with its December Android Security update. Now, a malware called ZNIU has been confirmed to be using this exploit to infect devices.
To recall, the ZNIU malware was detected last month in over 40 countries, with the majority of the cases reported in China and India. Researchers claim that the malware was also detected in the US, Japan, Canada, Germany, and Indonesia. The researchers were able to detect over 5,000 affected users, and also claim that more than 1,200 malicious apps carried ZNIU exploit. Researchers claim that the ZNIU malware often appeared as a porn app downloaded from malicious website where users are tricked into clicking on a malicious URL that installs the malware-carrying app on their device.
Security researchers Jason Gu, Veo Zhang, and Seven Shen at Trend Micro captured samples of ZNIU (detected as AndroidOS_ZNIU), which is the first malware family to exploit the Dirty COW vulnerability on the Android platform.
"The vulnerability was discovered in upstream Linux platforms such as Redhat, and Android, which kernel is based on Linux. It was categorised as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system. Dirty COW attack on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices," the researchers noted.
The malware used to harvest the carrier information of the user. "It then transacts with the carrier through an SMS-enabled payment service, allowing the malware operator to pose as the device owner. Through the victim's mobile device, the operator behind ZNIU will collect money through the carrier's payment service," explain researchers.
"We have detected more than 5,000 affected users. Our data also shows that more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW, disguising themselves as pornography and game apps, among others."
Researchers also claim that the Dirty COW vulnerability can exploit all versions of Android OS. However, ZNIU-infected Dirty COW exploit only works on devices running Android OS with ARM/X86 64-bit architecture.