i ZNIU: First Android Malware to exploit Dirty COW vulnerability – All things in moderation

ZNIU: First Android Malware to exploit Dirty COW vulnerability

Red Hat Product Security has been made aware of a vulnerability in the Linux kernel that has been assigned CVE-2016-5195. This issue was publicly disclosed on October 19, 2016 and has been rated as Important. This issue is being refered to as “Dirty COW” in the media. The vulnerability was discovered in upstream Linux platforms such as Redhat, and Android, which kernel is based on Linux. A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. Dirty COW vulnerability was categorized as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system.

Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices. Almost a year later, Trend Micro researchers captured samples of ZNIU (detected as AndroidOS_ZNIU)—the first malware family to exploit the vulnerability on the Android platform.
According to trendmicro malware researchers ZNIU malware was detected in more than 40 countries last month, with the majority of the victims found in China and India. Trendmicro also detected the malware in the U.S., Japan, Canada, Germany, and Indonesia.
On 25 September, they have detected more than 5,000 affected users. And data also shows that more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW, disguising themselves as pornography and game apps, among others.

What is the way of infection?
The ZNIU malware often appears as a porn app downloaded from malicious websites, where users are tricked into clicking on a malicious URL that installs the malware-carrying app on their device. Once launched, ZNIU will communicate with its C&C server. If an update to its code is available, it retrieves it from the C&C server and loads it into the system. Simultaneously, the Dirty COW exploit will be used to provide local privilege escalation to overcome system restrictions and plant a backdoor for potential remote control attacks in the future.

After being installed on the victim machine, the application will collect information on victim machine. Then deal with the service provider via an SMS-enabled payment service, allowing the malware operator to pose as the device owner. Through the victim’s mobile device, the operator behind ZNIU will collect money through the carrier’s payment service. When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator. If the carrier is outside China, there will be no possible SMS transaction with the carrier, but the malware will still exploit the system to plant a backdoor.

The malware only appears to victimize users subscribed to China’s carriers. Moreover, even though the malware operator can set the amount higher to gain more money from the exploitation, every transaction amount is deliberately set in small amounts (20 RMB or 3 USD monthly) to avoid being noticed.

Since the Android OS is enforcing user interaction when it comes to granting permission for other apps to access the SMS feature of the device, ZNIU needs root privilege to make its scheme work. The malware also needs to plant a backdoor and remotely load additional malicious code later on to continue profiting from its victims.

Analysic detail

The ZNIU rootkit may be integrated into malicious apps through an independent broadcast receiver.

The malware can easily inject the rootkit to a third party app without changing its other components. This practice is considered helpful for a massive malware distribution.

The malware operator encrypts and packs ZNIU’s malicious DEX codes for protection, which is an attempt to shield it from static reverse engineering.

The main logic of ZNIU’s native code works as follows:
1. Collect the model information of the device.
2. Fetch appropriate rootkits from the remote server.
3. Decrypt the exploits.
4. Trigger exploits one by one, check the result, and remove exploit files.
5. Report if the exploit succeeded or failed.

ZNIU network activity:

The URL of the remote exploit server, as well as the communication between client and server, were also discovered to be encrypted. But after using string decryption, details of the malicious exploit server were further explored, revealing that its domain and server host is located in China.

The backend exploit management server:

Once downloaded, the rootkit ‘exp.ziu’ will be decompressed into ‘exp.inf’ with the help of ZLIB.

All files needed by the rootkit are packed in one. inf file, with a filename that starts with ‘ulnz’ and contains several ELF or script files.
Structure of the inf file:

The ZNIU rootkit can arbitrarily write to vDSO (virtual dynamically linked shared object), which exports a set of kernel space functions to the user space so that applications perform better. The vDSO code runs in a kernel context, which does not have a SELinux limit.

ZNIU uses public exploit code to write shellcodes to vDSO and create a reverse shell. Then it patches the SELinux policy to disarm restrictions and plant a backdoor root shell.
Dirty COW patching vDSO code:

To ensure your device is not infected by malware you should:
– Install software from trusted application markets like Google Play Store.
– Use antivirus like: Kapersky, trendmicro, avira,……
– Updated patches from software developer.


Leave a Reply