ZNIU is the name of the first in-the-wild Android malware that uses the Dirty COW vulnerability to infect users.
Dirty COW is a privilege escalation vulnerability in the Linux kernel that came to light last year, in October 2016. The vulnerability allows an attacker to elevate the privilege of attack code to “root” level and carry out malicious operations.
The Dirty COW bug existed in the Linux kernel code for nine years, since 2007. At the time of its discovery, Dirty COW was a zero-day and researchers said attackers used it against Linux servers. A patch was released immediately.
Yesterday, security researchers from Trend Micro published a report detailing a new malware family named ZNIU that uses Dirty COW to root devices and plant a backdoor.
Researchers say attackers use this backdoor to collect information on infected devices. The second stage of the attack happens only if the user is located in China. Attackers use the full control the backdoor grants them over the device to subscribe the user to premium SMS numbers that benefit a local company.
Trend Micro says it discovered more than 1,200 malicious apps that carry ZNIU available via various online websites. Most of the infected apps were gaming and pornography related.
The company says it detected about 5,000 users infected with the ZNIU malware, but the number could be bigger as the company had visibility only inside devices protected by its mobile security solution.
ZNIU made victims across 40 countries, but most were located in China and India.
Submitted by: Arnfried Walbrecht