First Android Malware Discovered Using Dirty COW Exploit (rooting devices, installing backdoor)

[LASER_oneXM]

ZNIU malware uses Dirty COW to root devices, plant backdoor
Yesterday, security researchers from Trend Micro published a report detailing a new malware family named ZNIU that uses Dirty COW to root devices and plant a backdoor.

Researchers say attackers use this backdoor to collect information on infected devices. The second stage of the attack happens only if the user is located in China. Attackers use the full control the backdoor grants them over the device to subscribe the user to premium SMS numbers that benefit a local company.

Trend Micro says it discovered more than 1,200 malicious apps that carry ZNIU available via various online websites. Most of the infected apps were gaming and pornography related.

The company says it detected about 5,000 users infected with the ZNIU malware, but the number could be bigger as the company had visibility only inside devices protected by its mobile security solution.

ZNIU made victims across 40 countries, but most were located in China and India.

ZNIU's Dirty COW implementation is inferior
At the technical level, ZNIU used a different Dirty COW exploit from the proof-of-concept code released by researchers last year.

This Dirty COW exploit code only works on Android devices with ARM/X86 64-bit architecture. When it infects Android phones with an ARM 32-bit CPU architecture, ZNIU would use the KingoRoot rooting app and the Iovyroot exploit (CVE-2015-1805) to gain root-level access instead of Dirty COW.

Apps infected with ZNIU never made it on the Google Play Store. To avoid exposing themselves to malware of any kind, users should avoid installing apps from anywhere outside the Play Store. The Play Store isn't perfect, but unlike most underground app stores it performs basic security scans.


Trend Micro's technical report on ZNIU's modus operandi is available here. A list with the package names of all infected apps is available here.