Dirty Cow vulnerability discovered in Android malware campaign for the first time

The bug has been found in malware designed to root and install backdoors into Android handsets.
Written by Charlie Osborne, Contributing Writer
File Photo

For the first time, threat actors have added the Dirty Cow Android exploit to malware designed to compromise devices running on the mobile platform.

On Monday, researchers from Trend Micro said the vulnerability, traced as CVE-2016-5195, has been discovered in a malware sample of ZNIU -- detected as AndroidOS_ZNIU -- and this is the first malware sample to contain an exploit for the flaw.

Dirty Cow was publicly disclosed back in 2016. The vulnerability has been present in the kernel and Linux distributions for years and permits attackers to escalate to root privileges through a race condition bug, gain access to read-only memory, and permit remote attacks.

"Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices," the company said.

In a blog post, Trend Micro researchers Jason Gu, Veo Zhang, and Seven Shen said ZNIU was present in at least 40 countries last month, with the majority of victims found in China and India.

Individuals in the US, Japan, Canada, and Germany, among others, have also been targeted.

Trend Micro's analysis of the integration of Dirty Cow with ZNUI led to the discovery of over 1,200 malicious Android apps with the malicious code embedded within, alongside host websites containing rootkits that exploit Dirty Cow. Some of these apps disguised themselves as pornography or game-related software.

Over 5,000 users so far have been affected.

When left unpatched, the Dirty Cow vulnerability impacts all versions of the Android OS, while ZNIU's Dirty Cow exploit only affects Android devices running on ARM/X86 64-bit architecture.

However, the recent exploit can also bypass SELinux and fashion backdoors.

"We monitored six ZNIU rootkits, four of which were Dirty COW exploits," the team says. "The other two were KingoRoot, a rooting app, and the Iovyroot exploit (CVE-2015-1805). ZNIU used KingoRoot and Iovyroot because they can root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot."

ZNIU often appears as a porn app downloaded from illegitimate websites. Once launched, the malware connects to its command-and-control center (C&C) to check for code updates, while simultaneously implementing Dirty Cow to try and utilize local privilege escalation to gain root access, bypass system restrictions and plant a backdoor.

This, in turn, could be used by attackers to infiltrate the device remotely.

The malware also harvests user information, such as the carrier in use, and will attempt to send payments through premium SMS messages to a dummy company in China.

After these messages are sent, they are deleted from the device. The operators behind the malware intentionally set each transaction as a small amount to try and avoid being spotted.

"If the carrier is outside China, there will be no possible SMS transaction with the carrier, but the malware will still exploit the system to plant a backdoor," Trend Micro says.

In December last year, Google issued a security update to fix the security flaw, although it is up to vendors as to when to provide these security updates to their own handsets.

Google has been made aware of the malware's latest weapon and has confirmed that Google Play Protect protects against the malware. Downloading apps from third-party sources is generally a risk and should be treated with caution.

Previous and related coverage

Editorial standards