Since Linux is an open source project, it’s hard to find security flaws in its source code as thousands of users actively keep checking and fixing the same. Due to this proactive approach, even when a flaw is discovered, it is patched immediately. That’s why it was so surprising when an exploit was discovered last year which has escaped the rigorous due diligence of all the users over the past 9 years. Yes, you read it right, although the exploit was discovered in October 2016, it had existed inside the Linux kernel code since last 9 years. This type of vulnerability, which is a type of privilege escalation bug is known as the Dirty Cow vulnerability (Linux kernel bug catalogue number – CVE-2016-5195).
Although this vulnerability was patched for Linux a week after its discovery, it left all the Android devices vulnerable to this exploit (Android is based on Linux kernel). The Android patched followed in December 2016, however, due to the fragmented nature of Android ecosystem, there are still a lot of Android devices which has not received the update and remain vulnerable to it. What’s more frightening is that a new Android malware dubbed ZNIU was discovered just a couple of days back which is exploiting the Dirty Cow vulnerability. In this article, we will take an in-depth look at the Dirty Cow vulnerability and how it is being abused on Android by ZNIU malware.
What is Dirty Cow Vulnerability?
As mentioned above, Dirty Cow vulnerability is a type of privilege escalation exploit which can be used to grant super-user privilege to anyone. Basically, by using this vulnerability any user with malicious intent can grant himself a super-user privilege, thereby having a complete root access to a victim’s device. Getting the root access to a victim’s device gives the attacker full control over the device and he can extract all the data stored on the device, without the user becoming any wiser.
What is ZNIU and What Dirty Cow Has to Do With It?
ZNIU is the first recorded malware for Android which is utilising the Dirty Cow vulnerability to attack Android devices. The malware uses the Dirty Cow vulnerability to gain root access to the victim’s devices. Currently, the malware has been detected to be hiding in more than 1200 adult gaming and pornographic apps. At the time of publishing this article more than 5000 users across 50 countries have been found to be affected by it.
Which Android Devices Are Vulnerable to ZNIU?
After the discovery of the Dirty Cow vulnerability (October 2016), Google released a patch in December 2016 to fix this issue. However, the patch was released for Android devices which were running on Android KitKat (4.4) or above. According to the breakup of Android OS distribution by Google, more than 8% of the Android smartphones are still running on lower versions of the Android. Of those running on Android 4.4 to Android 6.0 (Marshmallow), only those devices are safe which have received and installed the December security patch for their devices.
That’s a lot of Android devices which have the potential of being exploited. However, People can take solace in the fact that ZNIU is using a somewhat modified version of the Dirty Cow vulnerability and hence it has been found to be successful only against those Android devices which are using the ARM/X86 64-bit architecture. Still, if you are an Android owner, it would be better to check if you have installed the December security patch or not.
ZNIU: How Does it Work?
After the user has downloaded a malicious app which has been infected with ZNIU malware, when they launch the app, the ZNIU malware will automatically contact and connect to its command and control (C&C) servers to obtain any updates if available. Once it has updated itself, it will use the privilege escalation (Dirty Cow) exploit to gain the root access to the victim’s device. Once it has root access to the device, it will harvest the user’s information from the device.
Currently, the malware is using the user information to contact the victim’s network carrier by posing as the user himself. Once authenticated it will carry out SMS-based micro-transactions and collect payment through the carrier’s payment service. The malware is intelligent enough to delete all the messages from the device after the transactions have taken place. Thus, the victim has no idea about the transactions. Generally, the transactions are carried out for very small amounts ($3/month). This is another precaution taken by the attacker to ensure that victim doesn’t discover the fund transfers.
After tracking the transactions, it was found that the money was transferred to a dummy company based in China. Since carrier-based transactions are not authorised to transfer money internationally, only the users which are affected in China will suffer from these illegal transactions. However, the users outside China will still have the malware installed on their device which can be activated anytime remotely, making them potential targets. Even if the international victims don’t suffer from illegal transactions, the backdoor gives the attacker a chance to inject more malicious code in the device.
How to Save Yourself From ZNIU Malware
We have written a whole article on protecting your Android device from malware, which you can read by clicking here. The basic thing is to use common sense and not installing the apps from untrusted sources. Even in the case of ZNIU malware, we have seen that the malware is delivered to victim’s mobile when they install pornographic or adult-gaming apps, which are made by untrusted developers. To protect against this specific malware, make sure that your device is on the current security patch from Google. The exploit was patched with the December (2016) security patch from Google, hence anyone who has that patch installed is safe from the ZNIU malware. Still, depending on your OEM, you might not have received the update, hence it’s always better to be aware of all the risks and take necessary precaution from your side. Again, everything that you should and shouldn’t do to save your device from getting infected by a malware is mentioned in the article which is linked above.
Protect Your Android From Getting Infected By Malware
The last couple of years has seen a rise in malware attacks on Android. Dirty Cow vulnerability was one of the biggest exploits which has ever been discovered and seeing how ZNIU is exploiting this vulnerability is just horrific. ZNIU is especially worrisome because of the extent of devices it impacts, and the unfettered control that it grants to the attacker. However, if you are aware of the problems and take necessary precautions, your device will be safe from these potentially hazardous attacks. So, first make sure that you update the latest security patches from Google as soon you get them, and then keep away from untrusted and suspicious apps, files, and links. What do you think one should do protect their device against malware attacks. Let us know your thoughts on the subject by dropping them down in the comments section below.