Malware called ZNIU that is based on CVE-2016-5195, aka Dirty COW, has been found in more than 1,200 malicious Android apps affecting 5,000 users in 40 countries more than a year after the vulnerability first became known.
ZNIU performs several malicious functions for the cybercriminal, including adding a back door, but it is also capable of intercepting payments between the device owner and the carrier sending the funds to a dummy corporation.
Dirty Cow, a privilege escalation flaw that can give the attacker root access, was first revealed in 2016, but until recently researchers saw no activity centered on the vulnerability. This all changed recently when Trend Micro researchers captured samples of ZNIU, the first malware family designed to exploit the Dirty COW vulnerability.
Since then Trend Micro has exposed how the malware has sprawled.
“Our data also shows that more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW, disguising themselves as pornography and game apps, among others,” wrote Trend researchers Jason Gu, Veo Zhang, and Seven Shen.
ZNIU is a somewhat more discerning piece of malware compared to what the original Dirty Cow vulnerability could have allowed to be created. CVE-2016-5195 was found to work on all versions of the Android operating system whereas ZNIU is only effective against Android devices using the ARM/X86 64-bit architecture.
However, it is quite dangerous with multiple malicious capabilities.
The malware itself is downloaded when the victim clicks on the bait app and the ZNIU connects to its command and control server to obtain updates. Once on board it is able to use its escalation of privileges capability to install a backdoor that will be used for future remote attacks.
The malware then goes to work on the system harvesting the user’s information from the device and then contacting the carrier through an SMS-enabled payment service. This allows the cybercriminal to pose as the device owner.
“Through the victim’s mobile device, the operator behind ZNIU will collect money through the carrier’s payment service. In one of our samples, we saw in its code that payments were directed to a dummy company, which, based on network traffic, we were able to locate in a city in China,” the researchers wrote.
The transaction amount is kept small, usually about $3 per month, in order to avoid being noticed and as an additional level of protection when the fraudulent transaction is completed ZNIU deletes the message string eliminating that piece of evidence.
Only victims in China are susceptible as an SMS transaction with the carrier cannot take place outside of that country. Those outside of China just receive the backdoor which can be used at a later date.