Dirty COW logo

ZNIU is the name of the first in-the-wild Android malware that uses the Dirty COW vulnerability to infect users.

Dirty COW is a privilege escalation vulnerability in the Linux kernel that came to light last year, in October 2016. The vulnerability allows an attacker to elevate the privilege of attack code to "root" level and carry out malicious operations.

The Dirty COW bug existed in the Linux kernel code for nine years, since 2007. At the time of its discovery, Dirty COW was a zero-day and researchers said attackers used it against Linux servers. A patch was released immediately.

Dirty COW also affected Android devices

A few days later after its discovery, researchers found that Dirty COW could be used to root Android devices. This was because the Android OS is based on an earlier version of the Linux kernel, also susceptible to the Dirty COW exploit.

All versions of the Android OS were affected and Google released a patch for Android in November 2016.

More details about Dirty COW are available in this YouTube video below.

ZNIU malware uses Dirty COW to root devices, plant backdoor

Yesterday, security researchers from Trend Micro published a report detailing a new malware family named ZNIU that uses Dirty COW to root devices and plant a backdoor.

Researchers say attackers use this backdoor to collect information on infected devices. The second stage of the attack happens only if the user is located in China. Attackers use the full control the backdoor grants them over the device to subscribe the user to premium SMS numbers that benefit a local company.

ZNIU infection chain

Trend Micro says it discovered more than 1,200 malicious apps that carry ZNIU available via various online websites. Most of the infected apps were gaming and pornography related.

The company says it detected about 5,000 users infected with the ZNIU malware, but the number could be bigger as the company had visibility only inside devices protected by its mobile security solution.

ZNIU made victims across 40 countries, but most were located in China and India.

ZNIU's Dirty COW implementation is inferior

At the technical level, ZNIU used a different Dirty COW exploit from the proof-of-concept code released by researchers last year.

This Dirty COW exploit code only works on Android devices with ARM/X86 64-bit architecture. When it infects Android phones with an ARM 32-bit CPU architecture, ZNIU would use the KingoRoot rooting app and the Iovyroot exploit (CVE-2015-1805) to gain root-level access instead of Dirty COW.

Apps infected with ZNIU never made it on the Google Play Store. To avoid exposing themselves to malware of any kind, users should avoid installing apps from anywhere outside the Play Store. The Play Store isn't perfect, but unlike most underground app stores it performs basic security scans.

Trend Micro's technical report on ZNIU's modus operandi is available here. A list with the package names of all infected apps is available here.