Nearly a twelvemonth afterward the disclosure of the Dirty COW vulnerability that affected the Linux kernel, cybercriminals bring started exploiting the vulnerability against Android users, researchers bring warned.
Publicly disclosed terminal twelvemonth inwards October, Dirty COW was introduce inwards a department of the Linux kernel—a operate of almost every Linux distribution, including Red Hat, Debian, together with Ubuntu—for years together with was actively exploited inwards the wild.
The vulnerability allows an unprivileged local assailant to gain root access through a race status issue, gain access to read-only root-owned executable files, together with permit remote attacks.
However, safety researchers from Trend Micro published a blog post on Mon disclosing that the privilege escalation vulnerability (CVE-2016-5195), known every bit Dirty COW, has similar a shot been actively exploited yesteryear a malware sample of ZNIU, detected every bit AndroidOS_ZNIU.
This is the start fourth dimension nosotros bring seen a malware sample to incorporate an exploit for the vulnerability designed to compromise devices running on the mobile platform.
The malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) machinery inwards Android's Linux essence together with install a backdoor which tin flame together with hence hold upwards used yesteryear attackers to collect information together with generate net turn a profit through a premium charge per unit of measurement outcry upwards number.
Trend Micro researchers detected the ZNIU malware inwards to a greater extent than than 1,200 malicious Android apps—some of which disguised themselves every bit pornography together with gaming apps—alongside host websites containing malware rootkits that exploit Dirty Cow.
While the Dirty Cow flaw impacts all versions of the Android operating system, the ZNIU's Dirty Cow exploit exclusively affects Android devices with ARM/X86 64-bit architecture. However, the recent exploit tin flame hold upwards used to bypass SELinux together with flora backdoors.
Once downloaded together with installed, the ZNIU malware-carrying app communicates with its command-and-control (C&C) server to depository fiscal establishment check for code updates, acre simultaneously the Dirty Cow exploit provides local privilege escalation to gain root access on the device, bypass arrangement restrictions together with "plant a backdoor for potential remote command attacks inwards the future."
The malware likewise harvests the carrier information of the user together with attempts to ship payments via premium SMS messages that were directed to a dummy fellowship inwards China.
Once the SMS transaction is over, the malware likewise deletes the messages from the device inwards society to erase prove of whatsoever compromise.
The researchers institute the malware has already infected to a greater extent than than 5,000 Android users across xl countries inwards recent weeks, with the bulk of victims institute inwards Cathay together with India, acre other resides inwards the United States, Japan, Canada, Federal Republic of Federal Republic of Germany together with Indonesia.
Google has released Play Protect similar a shot protects Android users against this malware.
The easiest means to forestall yourself from beingness targeted yesteryear such clever malware is to avoid downloading apps from third-party sources together with ever stick to the official Google Play Store.
Publicly disclosed terminal twelvemonth inwards October, Dirty COW was introduce inwards a department of the Linux kernel—a operate of almost every Linux distribution, including Red Hat, Debian, together with Ubuntu—for years together with was actively exploited inwards the wild.
The vulnerability allows an unprivileged local assailant to gain root access through a race status issue, gain access to read-only root-owned executable files, together with permit remote attacks.
However, safety researchers from Trend Micro published a blog post on Mon disclosing that the privilege escalation vulnerability (CVE-2016-5195), known every bit Dirty COW, has similar a shot been actively exploited yesteryear a malware sample of ZNIU, detected every bit AndroidOS_ZNIU.
This is the start fourth dimension nosotros bring seen a malware sample to incorporate an exploit for the vulnerability designed to compromise devices running on the mobile platform.
This Dirty Cow Exploit institute inwards Over 1,200 Android Apps
The malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) machinery inwards Android's Linux essence together with install a backdoor which tin flame together with hence hold upwards used yesteryear attackers to collect information together with generate net turn a profit through a premium charge per unit of measurement outcry upwards number.
Trend Micro researchers detected the ZNIU malware inwards to a greater extent than than 1,200 malicious Android apps—some of which disguised themselves every bit pornography together with gaming apps—alongside host websites containing malware rootkits that exploit Dirty Cow.
While the Dirty Cow flaw impacts all versions of the Android operating system, the ZNIU's Dirty Cow exploit exclusively affects Android devices with ARM/X86 64-bit architecture. However, the recent exploit tin flame hold upwards used to bypass SELinux together with flora backdoors.
"We monitored vi ZNIU rootkits, 4 of which were Dirty COW exploits. The other ii were KingoRoot, a rooting app, together with the Iovyroot exploit (CVE-2015-1805)," the researchers said.
"ZNIU used KingoRoot together with Iovyroot because they tin flame root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot."
Here's How the ZNIU's Dirty Cow exploit Works
Once downloaded together with installed, the ZNIU malware-carrying app communicates with its command-and-control (C&C) server to depository fiscal establishment check for code updates, acre simultaneously the Dirty Cow exploit provides local privilege escalation to gain root access on the device, bypass arrangement restrictions together with "plant a backdoor for potential remote command attacks inwards the future."
The malware likewise harvests the carrier information of the user together with attempts to ship payments via premium SMS messages that were directed to a dummy fellowship inwards China.
Once the SMS transaction is over, the malware likewise deletes the messages from the device inwards society to erase prove of whatsoever compromise.
The researchers institute the malware has already infected to a greater extent than than 5,000 Android users across xl countries inwards recent weeks, with the bulk of victims institute inwards Cathay together with India, acre other resides inwards the United States, Japan, Canada, Federal Republic of Federal Republic of Germany together with Indonesia.
Google has released Play Protect similar a shot protects Android users against this malware.
The easiest means to forestall yourself from beingness targeted yesteryear such clever malware is to avoid downloading apps from third-party sources together with ever stick to the official Google Play Store.
Share This :
comment 0 Comments
more_vert