A Linux exploit that was first spotted several months ago has finally been used by Android malware. Trend Micro researchers have spotted samples of the ZNIU malware exploiting the Dirty COW vulnerability on Android devices. Dirty COW gets its name in the way it exploits a flaw in the copy-on-write (COW) system that allows unprivileged local users to gain write access to otherwise read-only memory mappings to increase the user’s privileges on the system.
Researchers say they detected the malware in more than 40 countries last month, with the highest concentration of infected devices coming from China and India. However, instances of the malware were detected in the United States, Japan, Canada, Germany, and Indonesia.
More than 1,200 malicious apps carrying ZNIU were found on websites “with an existing rootkit that exploits Dirty COW.” Trend Micro says these apps disguise themselves as pornography, games, and more to entice users to download them from third-party app stores and websites.
Researchers say that the app uses the Dirty COW exploit to set up a backdoor to log information about the device and create premium SMS transactions with Chinese carriers. The SMS transactions don’t work outside of China, but the malware operator can still gain a backdoor to any phone that has a malicious app installed.
Those running the exploit have deliberately kept a low profile in an attempt to keep the premium charges from being noticed.
Moreover, even though the malware operator can set the amount higher to gain more money from the exploitation, every transaction amount is deliberately set in small amounts (20 RMB or 3 USD monthly) to avoid being noticed.
The malware can be avoided by not installing apps from third-party sources, but it’s important to note that a vulnerability that was first discovered in Linux has now been exploited on Android. It seems as though it took hackers awhile to build a stable exploit for major devices.