ZNIU: Mobile Malware and Dirty COW

Marina Kidron Oct 5, 2017

Dirty COW (CVE-2016-5195) was described as the “most serious Linux local privilege escalation ever” when it was first disclosed and observed in active exploits in October of 2016. Though it was quickly patched once discovered, the bug had remained undetected for a stunning nine years in nearly all versions of the Linux OS.

In December of that year, Trend Micro researchers demonstrated an attack on an Android phone — an upstream device whose kernel is based on Linux — using the Dirty COW vulnerability. The proof–of–concept (POC) attack installed a malicious app without any permissions requested, then exploited Dirty COW to steal information, change settings and silently install another app on the device. The flaw also allowed attackers to write code directly to memory, thereby giving the attacker root access without the need for a reboot.

  • Android and ZNIU’s Unholy Union

Researchers have now observed the ZNIU malware family exploiting Dirty COW on the Android platform, with more than 1200 malicious apps that carry the malware found in malicious sites containing a rootkit that exploits Dirty COW. The combination of ZNIU and Dirty COW bypasses system restrictions and sets up a backdoor to infected device.

ZNIU can collect money through the carrier’s payment service by posing as the device owner, transacting with the carrier through SMS­–enabled payment services and funneling payments to a dummy entity. The messages are then erased, and the transactions themselves often go unnoticed as they are for very small amounts. But, to do this, it needs root privileges to override the requirement of permissions for other apps accessing the device’s SMS feature, and a backdoor to execute additional code to continue the cyber theft (thanks, Dirty COW!).

  • BYOD Bringing More than Devices to Work

“Bring your own device” and mobile technology connected to corporate networks is essentially unavoidable in businesses today. Just to have your work email or calendar on your phone means connecting to the exchange server.  That’s why it’s vital for security teams to stay abreast of threats to mobile devices that could “jump” to the organization.

ZNIU isn’t the only mobile threat that should concern businesses. A similar malware, FalseGuide, delivers fraudulent mobile adware and gains revenue through ad displays and clicks. BankBot, a banking Trojan, bypasses the SMS–based two–factor authentication on victim’s bank accounts to line the operator’s pockets. Faketoken is capable of stealing credit card information, and the list goes on.

As most of the mobile malware attacks gain root access to the device, jumping to the organizational network is relatively easy, putting the business at risk of information disclosure, Even without compromising the organizational network, the attacker already has access to email on the infected device, which could contain sensitive corporate information.

  • Vendors Security Updates

Android’s general October security bulletin addresses 14 vulnerabilities, five of them critical. The Pixel/Nexus bulletins fixed 38 in total, though none critical. These fixes are likely relevant for other devices, at least in part; though until other mobile device vendors publish their advisories, this remains uncertain.

Samsung has already published fixes to some 215 vulnerabilities, 71 rated critical, and includes some overlap with the Pixel/Nexus bulletins (though not all). LG and Huawei have yet to release an update, nor have Sony Xperia or other smaller vendors without an organized advisory process at this time.

Apple’s iOS 11 was released on September 19, fixing 63 vulnerabilities, and 11.0.1 was released the following week with unknown content.

Users should be sure to install both OS patches, as well as the patches specific to their devices — to keep money in their own pocket and be a steward of their organization’s security, too.

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
Read More
Biden Cybersecurity Executive Order
Read More
CISA Alert – Top routinely exploited vulnerabilities
Read More
3 trends shaping security posture management for 2021
Read More
Skybox Q&A: CRO Rob Rosiello identifies today’s and tomorrow’s top cybersecurity issues as the world reopens
Read More
Post-pandemic cyber threats
Read More