Android Malware with Dirty Cow Vulnerability Discovered for the First Time
Seems like it’s the season of Android malware. Android users are now being continuously targeted by hackers.
Be it the Judy malware, discovered earlier this year in May or the ExpensiveWall malware, detected recently, Android malware is now hitting headlines. Smartphone users have started thinking of ways to keep their devices and data secured.
Now, here’s some more bad news. Yet another Android malware has appeared, and this is the first time the Dirty Cow vulnerability has been discovered in an Android malware.
The Dirty Cow vulnerability (CVE-2016-5195) was first publicly disclosed in 2016 and was discovered in upstream Linux platforms, like Redhat. Experts categorized it as a serious privilege escalation flaw which would help hackers gain root access on targeted systems. Now, almost a year after it was discovered, the Dirty Cow vulnerability is reported to have made it into the Android realm as well. Researchers from security firm Trend Micro have discovered samples of the ZNIU (AndroidOS_ZNIU) that indicate the entry of the Dirty Cow exploit into Android territory. Yes, ZNIU (AndroidOS_ZNIU) becomes the first Android malware sample to have the Dirty Cow exploit as the flaw.
The ZNIU malware has been detected in over 40 countries, including China, India, the US, Canada, and Japan; and it could have affected at least 5,000 users worldwide. It has been found in the form of malicious apps in malicious websites that have rootkits exploiting the Dirty Cow flaw.
An official blog authored by Trend Micro researchers Jason Gu, Veo Zhang, and Seven Shen says- “Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices. Almost a year later, Trend Micro researchers captured samples of ZNIU (detected as AndroidOS_ZNIU)—the first malware family to exploit the vulnerability on the Android platform.” The blog also explains the extent and nature of the attack using the vulnerability- “The ZNIU malware was detected in more than 40 countries last month, with the majority of the victims found in China and India. We also detected the malware in the U.S., Japan, Canada, Germany, and Indonesia. As of this writing, we have detected more than 5,000 affected users. Our data also shows that more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW, disguising themselves as pornography and game apps, among others.”
ZNIU’s leveraging of Dirty COW would work on any Android device with the ARM/X86 64-bit architecture. The Trend Micro team of experts says-“We worked on a Proof-of-Concept (PoC) for Dirty COW last year and found out that all versions of the Android OS were susceptible to exploitation, while ZNIU’s leveraging of Dirty COW only works on Android devices with ARM/X86 64-bit architecture. However, this recent exploit can bypass SELinux and plant a root backdoor, while the PoC can only modify the service code of the system. We monitored six ZNIU rootkits, four of which were Dirty COW exploits. The other two were KingoRoot, a rooting app, and the Iovyroot exploit (CVE-2015-1805). ZNIU used KingoRoot and Iovyroot because they can root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot.”
Often appearing as a porn app downloaded from illegitimate websites, ZNIU would, after being launched, connect to its C&C (command-and-control) server center (C&C) to check for code updates. At the same time, it would use the Dirty Cow exploit to try and utilize local privilege escalation in order to gain root access, bypass system restrictions and plant a backdoor. It’s this backdoor that hackers use to gain entry into the device environment.
The Trend Micro blog explains what happens after this- “After entering the main UI of the device, the malware will harvest the carrier information of the user. It then transacts with the carrier through an SMS-enabled payment service, allowing the malware operator to pose as the device owner. Through the victim’s mobile device, the operator behind ZNIU will collect money through the carrier’s payment service. In one of our samples, we saw in its code that payments were directed to a dummy company, which, based on network traffic, we were able to locate in a city in China…”.
Traces of the messages are deleted from the device once they’re sent. The hackers go with a small amount per transaction, to avoid detection.
Trend Micro has informed Google about the issue and Google has clarified that Google Play Protect gives protection against the malware.
Julia Sowells165 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.