ZNIU Is the First Android Malware to Use Dirty COW

A lot of mobile users are well aware that there are plenty of threats affecting the Android ecosystem right now. One of the newer threats goes by the name of ZNIU, and it is the first case of malware effectively exploiting the Dirty COW vulnerability. This means assailants can carry out a privilege escalation attack to gain root level access and plant a permanent backdoor on a device. The bigger question is whether or not more Android malware types will utilize Dirty COW moving forward.

ZNIU is a Major Android Threat

There are many types of malware capable of impacting mobile devices these days. Especially when it comes to the Dirty COW exploit, things have gotten pretty interesting in this regard. The bug has been prevalent for quite some time now, as it was discovered in the Linux kernel code all the way back in 2007. Although the vulnerability itself was patched pretty quickly, it somehow successfully found its way into the Android ecosystem not too long after.

Although this particular exploit has not been used all that often by the looks of things, some hackers are still paying attention to it for the time being. Dirty COW can effectively be used to root Android devices, which is not a big surprise whatsoever. The main problem is that criminals can leverage this particular exploit in the first place, as it is not exactly straightforward. As most Android users are well aware, anyone who has root privileges can do virtually anything with the device in question.

No one other than the actual device owner should have root privileges in the first place. However, it turns out criminals can successfully achieve this level of access through many different exploits, assuming they wish to pursue that option in the first place. ZNIU is a prime example of how this option is currently being explored by some nefarious actors, as it mainly uses the Dirty COW vulnerability to wreak havoc on Android devices.

More specifically, the ZNIU malware uses Dirty COW to not only root Android devices, but also plant a permanent backdoor on the device in question. This backdoor gives criminals continued access to the device, through which they can perform a wide range of attacks. In most cases, the backdoor is used to collect information, but it can also grant hackers access to SMS services, photos, and so on. It’s not a fun situation for anyone who has had to deal with ZNIU; that much is certain.

What is even more disconcerting is the sheer number of applications which seemingly carry the ZNIU malware right now. Trend Micro researchers have already identified over 1,200 such apps, although the total number may be much higher than that. Most of these apps are related to gaming and adult content, although none of them are to be found in the Google Play Store at this time. Always be wary when downloading APK files from third-party platforms.

One thing to note is how ZNIU has a weak implementation of Dirty COW. More specifically, this implementation only works on Android devices with a specific architecture. Any other devices will simply ignore this attack vector and not have a backdoor installed in the end. Whether or not we can expect to see an updated version of ZNIU remains to be seen. What is clear is that criminals are experimenting with myriad attack vectors targeting Android devices right now.