Dirty Cow exploited by ZNIU: The first malware family to exploit the vulnerability on the Android platform

Almost after a year the disclosure of the Linux vulnerability, it is getting exploited by cybercriminals against Android users. The vulnerability is none other than the Dirty COW.

Last year in October, for the first time the Linux vulnerability, CVE-2016-5195 a.k.a Dirty COW disclosed to the public. Dirty COW was discovered in the upstream Linux platforms which has Linux based Kernels such as Redhat, and Android.  This Linux vulnerability allows attackers to gain root access through a race condition issue, allowing access to read-only root-owned executable files, and permit remote attacks.

Trend Micro security researchers have published a blog post on Monday where they have revealed that Dirty COW has now been actively exploited by the a malware sample of ZNIU, detected as AndroidOS_ZNIU. The Dirty COW attacks on Android has been silent since its disclosure, perhaps because it took attackers some time for building a stable exploit to pwn major devices.

Most probably this is the first time that a malware sample is containing an exploit for the vulnerability designed to pwn devices running on the mobile platform. 

Amazed? Wait! There is lot more to it.

According to Trend Micro, the AndroiOS_ZNIU malware has been detected in more than 40 countries affecting more than 5,000 users, and majority of victims are from China and India. The malware was also found to be attacking users in the U.S, Japan, Canada, Germany, and Indonesia.

This nasty malware harvests the carrier information of the user and tries to send payment through premium SMS messages directing to a Chinese dummy company. Once done with the transactions, the malware deletes the messages from the device as an act of erasing footprints. Beat that!

Google has released an update for Android which will officially fix the Dirty COW vulnerability and has also confirmed that its Play Protect will now protect Android users against this malware.