Security experts warn that the Linux vulnerability Dirty Cow gets exploited by a newly-found Android malware called ZNIU.
The problem is caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
The Linux vulnerability was tracked as CVE-2016-5195 and was found to affect Android devices as well. Alerted of the issue, a patch for Google devices was released in December, as part of Google’s monthly set of security updates.
Despite the fact that all Android devices running a security patch level of 2016-11-06 are safe from Dirty COW, security experts claim that the vulnerability can be leveraged to write malicious code directly into processes.
According to the researchers, the flaw can be triggered in a manner different from previously observed attacks.
Now the experts say that they have discovered “the first malware family to exploit the vulnerability on the Android platform,” namely ZNIU.
Last month, the new malware attacked devices in over 40 countries, focusing mostly on China and India.
According to the experts, over 5,000 users have been already infected with the malware, and the USA, Japan, Canada, Germany, and Indonesia are among the affected countries.
In addition, the researchers say that “more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW.”
The exploit code only works on Android devices with ARM/X86 64-bit architecture, though it was developed to bypass SELinux and plant a root backdoor.
The experts have been observing four out of six ZNIU rootkits in total. These four were Dirty COW exploits, while the other two were KingoRoot and Iovyroot.
Usually, ZNIU is disguised as as a porn application. Being installed on the system, the malware establishes communication with the command and control (C&C) server and updates itself if a new version is available.
ZNIU also fetches the appropriate rootkits from the remote server and uses them to escalate privileges and plant a backdoor for potential remote control attacks.
The researchers found that ZNIU uses encryption when communicating with the server and determined that the domain and the server host are situated in China.
The malware collects the carrier information of the device and starts interacting with the carrier through an SMS-enabled payment service. For that reason the creators of ZNIU collect money via the payment service of the carrier.
Nevertheless, SMS transactions of this type are probably with carriers in China, which means that the malware would only install the backdoor on devices outside the country.