Dirty COW Linux vulnerability reappears as ZNIU malware threat to Android users

It has been quite some time -- nearly a year in fact -- since we were talking about the Dirty COW vulnerability affecting the Linux kernel. Now the vulnerability is back, but this time it is Android users who need to be concerned.

The privilege escalation vulnerability has been exploited by a piece of malware by the name of ZNIU, or AndroidOS_ZNIU. The malware uses the Dirty COW exploit to root devices and install a backdoor which can then be used to collect data and also generate profit for the attackers through a premium rate phone number.

The malware has been detected in dozens of countries in recent weeks, and has infected thousands of Android users. Reporting about ZNIU, Trend Micro reminds us that it issued a warning last year that all versions of Android were vulnerable to Dirty COW. ZNIU is a little different in that it can only infect Android devices with ARM/X86 64-bit architecture, but the malware is able to go further than the proof-of-concept that was developed last year as it is able to install an exploitable backdoor.

Explaining how ZNIU works, Trend Micro says:

The ZNIU malware often appears as a porn app downloaded from malicious websites, where users are tricked into clicking on a malicious URL that installs the malware-carrying app on their device. Once launched, ZNIU will communicate with its C&C server. If an update to its code is available, it retrieves it from the C&C server and loads it into the system. Simultaneously, the Dirty COW exploit will be used to provide local privilege escalation to overcome system restrictions and plant a backdoor for potential remote control attacks in the future.

After entering the main UI of the device, the malware will harvest the carrier information of the user. It then transacts with the carrier through an SMS-enabled payment service, allowing the malware operator to pose as the device owner. Through the victim’s mobile device, the operator behind ZNIU will collect money through the carrier's payment service. In one of our samples, we saw in its code that payments were directed to a dummy company, which, based on network traffic, we were able to locate in a city in China censored in the picture below. When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator. If the carrier is outside China, there will be no possible SMS transaction with the carrier, but the malware will still exploit the system to plant a backdoor.

Based on our analysis, the malware only appears to victimize users subscribed to China's carriers. Moreover, even though the malware operator can set the amount higher to gain more money from the exploitation, every transaction amount is deliberately set in small amounts (20 RMB or 3 USD monthly) to avoid being noticed.

As Google was aware of the Dirty COW exploit, apps infected with the malware have not made their way into the Play Store. But with many Android users obtaining apps from various unofficial sources, the infection has still been able to spread.

Trend Micro has produced a report listing all of the apps known to be infected, and the security company reminds Android users of the importance of avoiding apps from untrustworthy sources.