ZNIU: Mobile Malware and Dirty COW
Marina Kidron Oct 5, 2017
Dirty COW (CVE-2016-5195) was described as the “most serious Linux local privilege escalation ever” when it was first disclosed and observed in active exploits in October of 2016. Though it was quickly patched once discovered, the bug had remained undetected for a stunning nine years in nearly all versions of the Linux OS.
In December of that year, Trend Micro researchers demonstrated an attack on an Android phone — an upstream device whose kernel is based on Linux — using the Dirty COW vulnerability. The proof–of–concept (POC) attack installed a malicious app without any permissions requested, then exploited Dirty COW to steal information, change settings and silently install another app on the device. The flaw also allowed attackers to write code directly to memory, thereby giving the attacker root access without the need for a reboot.
Android and ZNIU’s Unholy Union
Researchers have now observed the ZNIU malware family exploiting Dirty COW on the Android platform, with more than 1200 malicious apps that carry the malware found in malicious sites containing a rootkit that exploits Dirty COW. The combination of ZNIU and Dirty COW bypasses system restrictions and sets up a backdoor to infected device.
ZNIU can collect money through the carrier’s payment service by posing as the device owner, transacting with the carrier through SMS–enabled payment services and funneling payments to a dummy entity. The messages are then erased, and the transactions themselves often go unnoticed as they are for very small amounts. But, to do this, it needs root privileges to override the requirement of permissions for other apps accessing the device’s SMS feature, and a backdoor to execute additional code to continue the cyber theft (thanks, Dirty COW!).
BYOD Bringing More than Devices to Work
“Bring your own device” and mobile technology connected to corporate networks is essentially unavoidable in businesses today. Just to have your work email or calendar on your phone means connecting to the exchange server. That’s why it’s vital for security teams to stay abreast of threats to mobile devices that could “jump” to the organization.
ZNIU isn’t the only mobile threat that should concern businesses. A similar malware, FalseGuide, delivers fraudulent mobile adware and gains revenue through ad displays and clicks. BankBot, a banking Trojan, bypasses the SMS–based two–factor authentication on victim’s bank accounts to line the operator’s pockets. Faketoken is capable of stealing credit card information, and the list goes on.
As most of the mobile malware attacks gain root access to the device, jumping to the organizational network is relatively easy, putting the business at risk of information disclosure, Even without compromising the organizational network, the attacker already has access to email on the infected device, which could contain sensitive corporate information.
Vendors Security Updates
Android’s general October security bulletin addresses 14 vulnerabilities, five of them critical. The Pixel/Nexus bulletins fixed 38 in total, though none critical. These fixes are likely relevant for other devices, at least in part; though until other mobile device vendors publish their advisories, this remains uncertain.
Samsung has already published fixes to some 215 vulnerabilities, 71 rated critical, and includes some overlap with the Pixel/Nexus bulletins (though not all). LG and Huawei have yet to release an update, nor have Sony Xperia or other smaller vendors without an organized advisory process at this time.
Users should be sure to install both OS patches, as well as the patches specific to their devices — to keep money in their own pocket and be a steward of their organization’s security, too.