Decade-Old “Dirty COW” Security Bug Makes a Comeback to Bite Android Users
If there already wasn’t enough Android malware going around, now the criminals are using Linux exploits to attack the most-used mobile operating system. In an advisory published today, security researchers at Trend Micro suggest that a newly discovered Android malware is exploiting the notorious Dirty COW Linux security bug that was first reported a year ago but was part of Linux for over nine years.
“Any user can become root in < 5 seconds in my testing, very reliably. Scary stuff,” Linux developer Phil Oester who discovered this vulnerability had said at the time.
Dirty COW discovered in an Android malware family, disguised as malicious pornography and game apps
Now, the security researchers are calling the Android version of this flaw ZNIU that is being tracked as CVE-2016-5195. Detected in over 40 countries, it is considered as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system. “As of this writing, we have detected more than 5,000 affected users,” Trend Micro researchers write.
“Our data also shows that more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW, disguising themselves as pornography and game apps, among others.”
In their post today, researchers Jason Gu, Veo Zhang, and Seven Shen said that ZNIU enables attackers to infiltrate the vulnerable device remotely, after which they harvest information and even send payments through premium SMS messages to a dummy Chinese company.
When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator.
Google had released a fix for Dirty COW security vulnerability in a patch released in December last year. “Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices,” the security company added.
Trend Micro has now updated the search giant about the latest malware strain, however, Google confirms that Google Play Protect will keep the users safe against this malware. Those who get their apps from third-party sources (as Android users in China have to) will be at a risk of being exploited by this Android Dirty COW malware. The security firm has advised users to install apps from trusted third-party app stores if the official Google Play Store isn’t available in their country.