Nearly a yr subsequently the disclosure of the Dirty COW vulnerability that affected the Linux kernel, cybercriminals accept started exploiting the vulnerability against Android users, researchers accept warned.
Publicly disclosed concluding yr inwards October, Dirty COW was introduce inwards a department of the Linux kernel—a business office of almost every Linux distribution, including Red Hat, Debian, too Ubuntu—for years too was actively exploited inwards the wild.
The vulnerability allows an unprivileged local assailant to gain root access through a race status issue, gain access to read-only root-owned executable files, too permit remote attacks.
However, safety researchers from Trend Micro published a blog post on Mon disclosing that the privilege escalation vulnerability (CVE-2016-5195), known every bit Dirty COW, has straight off been actively exploited past times a malware sample of ZNIU, detected every bit AndroidOS_ZNIU.
This is the get-go fourth dimension nosotros accept seen a malware sample to incorporate an exploit for the vulnerability designed to compromise devices running on the mobile platform.
The malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) machinery inwards Android's Linux meat too install a backdoor which tin hence move used past times attackers to collect information too generate net turn a profit through a premium charge per unit of measurement telephone number.
Trend Micro researchers detected the ZNIU malware inwards to a greater extent than than 1,200 malicious Android apps—some of which disguised themselves every bit pornography too gaming apps—alongside host websites containing malware rootkits that exploit Dirty Cow.
While the Dirty Cow flaw impacts all versions of the Android operating system, the ZNIU's Dirty Cow exploit entirely affects Android devices with ARM/X86 64-bit architecture. However, the recent exploit tin move used to bypass SELinux too flora backdoors.
Once downloaded too installed, the ZNIU malware-carrying app communicates with its command-and-control (C&C) server to banking concern check for code updates, acre simultaneously the Dirty Cow exploit provides local privilege escalation to gain root access on the device, bypass organisation restrictions too "plant a backdoor for potential remote command attacks inwards the future."
The malware besides harvests the carrier information of the user too attempts to shipping payments via premium SMS messages that were directed to a dummy fellowship inwards China.
Once the SMS transaction is over, the malware besides deletes the messages from the device inwards guild to erase prove of whatever compromise.
The researchers constitute the malware has already infected to a greater extent than than 5,000 Android users across xl countries inwards recent weeks, with the bulk of victims constitute inwards Cathay too India, acre other resides inwards the United States, Japan, Canada, Federal Republic of Federal Republic of Germany too Indonesia.
Google has released Play Protect straight off protects Android users against this malware.
The easiest means to preclude yourself from existence targeted past times such clever malware is to avoid downloading apps from third-party sources too ever stick to the official Google Play Store.
Publicly disclosed concluding yr inwards October, Dirty COW was introduce inwards a department of the Linux kernel—a business office of almost every Linux distribution, including Red Hat, Debian, too Ubuntu—for years too was actively exploited inwards the wild.
The vulnerability allows an unprivileged local assailant to gain root access through a race status issue, gain access to read-only root-owned executable files, too permit remote attacks.
However, safety researchers from Trend Micro published a blog post on Mon disclosing that the privilege escalation vulnerability (CVE-2016-5195), known every bit Dirty COW, has straight off been actively exploited past times a malware sample of ZNIU, detected every bit AndroidOS_ZNIU.
This is the get-go fourth dimension nosotros accept seen a malware sample to incorporate an exploit for the vulnerability designed to compromise devices running on the mobile platform.
This Dirty Cow Exploit constitute inwards Over 1,200 Android Apps
The malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) machinery inwards Android's Linux meat too install a backdoor which tin hence move used past times attackers to collect information too generate net turn a profit through a premium charge per unit of measurement telephone number.
Trend Micro researchers detected the ZNIU malware inwards to a greater extent than than 1,200 malicious Android apps—some of which disguised themselves every bit pornography too gaming apps—alongside host websites containing malware rootkits that exploit Dirty Cow.
While the Dirty Cow flaw impacts all versions of the Android operating system, the ZNIU's Dirty Cow exploit entirely affects Android devices with ARM/X86 64-bit architecture. However, the recent exploit tin move used to bypass SELinux too flora backdoors.
"We monitored half-dozen ZNIU rootkits, 4 of which were Dirty COW exploits. The other ii were KingoRoot, a rooting app, too the Iovyroot exploit (CVE-2015-1805)," the researchers said.
"ZNIU used KingoRoot too Iovyroot because they tin root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot."
Here's How the ZNIU's Dirty Cow exploit Works
Once downloaded too installed, the ZNIU malware-carrying app communicates with its command-and-control (C&C) server to banking concern check for code updates, acre simultaneously the Dirty Cow exploit provides local privilege escalation to gain root access on the device, bypass organisation restrictions too "plant a backdoor for potential remote command attacks inwards the future."
The malware besides harvests the carrier information of the user too attempts to shipping payments via premium SMS messages that were directed to a dummy fellowship inwards China.
Once the SMS transaction is over, the malware besides deletes the messages from the device inwards guild to erase prove of whatever compromise.
The researchers constitute the malware has already infected to a greater extent than than 5,000 Android users across xl countries inwards recent weeks, with the bulk of victims constitute inwards Cathay too India, acre other resides inwards the United States, Japan, Canada, Federal Republic of Federal Republic of Germany too Indonesia.
Google has released Play Protect straight off protects Android users against this malware.
The easiest means to preclude yourself from existence targeted past times such clever malware is to avoid downloading apps from third-party sources too ever stick to the official Google Play Store.