Dirty COW, an Exploit in the Linux Kernel, is Now Being Abused on Android by ZNIU
Dirty COW (Dirty Copy-On-Write), or CVE-2016-5195, is a 9-year-old Linux bug that was discovered in October last year. It is one of the most serious bugs to have ever been found within the Linux kernel, and now malware dubbed ZNIU has been found in the wild. The bug was patched in the December 2016 security update, but any devices which haven’t received it are vulnerable. How many devices is that? Quite a lot.
As you can see above, there are actually a sizable number of devices from pre-Android 4.4, when Google started making security patches. What’s more, any device on Android 6.0 Marshmallow or lower is actually going to be at risk unless they received any security patches past December 2016, and unless said patches properly targeted the bug. With the negligence of many manufacturers to security updates, it’s hard to say that most people are actually protected. An analysis by TrendLabs has revealed a lot of information about ZNIU.
ZNIU – The First Malware using Dirty COW on Android
First let’s get one thing clear, ZNIU is not the first recorded usage of Dirty COW on Android. In fact, a user on our forums used the Dirty COW exploit (DirtySanta is basically just Dirty COW) to unlock the bootloader of the LG V20. ZNIU is only the first recorded usage of the bug being used for a malicious purpose. It’s likely this is because the application is incredibly complex. It seems to be active in 40 countries, with over 5000 infected users at the time of writing. It disguises itself in pornography and game applications, present in over 1200 applications.
What does the ZNIU Dirty COW malware do?
Firstly, ZNIU’s Dirty COW implementation only works on ARM and X86 64-Bit architecture. This doesn’t sound too bad, as most flagships on 64-Bit architecture usually will have the December 2016 security patch at least. However, any 32-Bit devices may also be susceptible to lovyroot or KingoRoot, which two of the six ZNIU rootkits use.
But what does ZNIU do? It mostly appears as a pornographic related app, but again can also be found in game related applications. Once installed, it checks for an update for the ZNIU payload. It will then begin privilege escalation, gaining root access, bypassing SELinux and installing a backdoor in the system for future remote attacks.
Once the application has initialized and the backdoor is installed, it begins to send device and carrier information back to a server located in mainland China. It then begins to transfer money to an account via a carrier’s payment service, but only if the user infected has a Chinese phone number. The messages confirming the transactions are then intercepted and deleted. Users from outside of China will have their data logged and a backdoor installed but will not have payments made from their account. The amount taken is ridiculously small as to avoid notice, the equivalent of $3 a month. ZNIU leverages root access for its SMS related actions, as to interact at all with SMS an application would normally need to be granted access by the user. It can also infect other applications installed on the device. All communications are encrypted, including the rootkit payloads downloaded on the device.
Despite said encryption the obfuscation process was poor enough that TrendLabs were able to determine the details of the web server, including location, used for communication between the malware and server.
How does the ZNIU Dirty COW malware work?
It’s fairly simple how it works, and fascinating from a security perspective. The application downloads the payload it needs for the current device it’s running on and extracts it to a file. This file contains all script or ELF files required for the malware to function. It writes then to virtual Dynamically Linked Shared Object (vDSO), which is usually a mechanism for giving user applications (ie, non-root) a space to work within the kernel. There is no SELinux limit here, and this is where the “magic” of Dirty COW really happens. It creates a “reverse shell”, which in simple terms means that the machine (in this case, your phone) is executing commands to your application instead of the other way around. This allows the attacker to then gain access to the device, which ZNIU does by patching SELinux and installing a backdoor root shell.
So what can I do?
Really, all you can do is stay away from applications not on the Play Store. Google has confirmed to TrendLabs that Google Play Protect will now recognize the application. If your device has the December 2016 security patch or later you are also completely safe.