After a year, we were talking about the Dirty COW vulnerability affecting the Linux kernel. Now the vulnerability is back, but this time cyber criminals have started exploiting the vulnerability against Android users.
The privilege escalation vulnerability has been exploited by a piece of malware by the name of ZNIU, or AndroidOS_ZNIU. The malware uses the Dirty COW exploit to root devices and install a backdoor which can then be used to collect data and also generate profit for the attackers through a premium rate phone number.
It was categorized as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system.
Trend Micro says:
The ZNIU malware was detected in more than 40 countries last month, with the majority of the victims found in China and India. We also detected the malware in the U.S., Japan, Canada, Germany, and Indonesia. As of this writing, we have detected more than 5,000 affected users. Our data also shows that more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW, disguising themselves as pornography and game apps, among others.
The ZNIU malware often appears as a porn app downloaded from malicious websites, where users are tricked into clicking on a malicious URL that installs the malware-carrying app on their device. Once launched, ZNIU will communicate with its C&C server. If an update to its code is available, it retrieves it from the C&C server and loads it into the system. Simultaneously, the Dirty COW exploit will be used to provide local privilege escalation to overcome system restrictions and plant a backdoor for potential remote control attacks in the future.
How does the ZNIU Dirty COW malware work?
It’s fairly simple how it works, and fascinating from a security perspective. The application downloads the payload it needs for the current device it’s running on and extracts it to a file. This file contains all script or ELF files required for the malware to function. It writes then to virtual Dynamically Linked Shared Object (vDSO), which is usually a mechanism for giving user applications (ie, non-root) a space to work within the kernel. There is no SELinux limit here, and this is where the “magic” of Dirty COW really happens. It creates a “reverse shell”, which in simple terms means that the machine (in this case, your phone) is executing commands to your application instead of the other way around. This allows the attacker to then gain access to the device, which ZNIU does by patching SELinux and installing a backdoor root shell.
So what can I do?
Really, all you can do is stay away from applications not on the Play Store. Google has confirmed to TrendLabs that Google Play Protect will now recognize the application. If your device has the December 2016 security patch or later you are also completely safe.
Google has released an update for Android that, among other fixes, officially fixes the Dirty COW vulnerability. The tech giant also confirmed that its Play Protect now protects Android users against this malware.
The easiest way to prevent yourself from being targeted by such clever malware is to avoid downloading apps from third-party sources and always stick to the official Google Play Store.