Ένα παλιό Linux bug (9 χρόνια) με το παρατσούκλι Dirty COW (Dirty Copy-On-Write or CVE-2016-5195), που εντοπίστηκε τον περασμένο Οκτώβριο, γίνεται αντικείμενο εκμετάλευσης από το malware ZNIU στο Android. Θεωρείται από τα σοβαρότερα bugs του linux kernel και το exploit έκλεισε με patch τον Δεκέμβριο του 2016, με security update από την Google.

Οι συσκευές Android που δεν έλαβαν το patch ή όσες έχουν έκδοση Android πριν την 4.4, είναι ευάλλωτες.

ZNIU’s Dirty COW implementation only works on ARM and X86 64-Bit architecture. This doesn’t sound too bad, as most flagships on 64-Bit architecture usually will have the December 2016 security patch at least. However, any 32-Bit devices may also be susceptible to lovyroot or KingoRoot, which two of the six ZNIU rootkits use.

But what does ZNIU do? It mostly appears as a pornographic related app, but again can also be found in game related applications. Once installed, it checks for an update for the ZNIU payload. It will then begin privilege escalation, gaining root access, bypassing SELinux and installing a backdoor in the system for future remote attacks.

Once the application has initialized and the backdoor is installed, it begins to send device and carrier information back to a server located in mainland China. It then begins to transfer money to an account via a carrier’s payment service, but only if the user infected has a Chinese phone number. The messages confirming the transactions are then intercepted and deleted. Users from outside of China will have their data logged and a backdoor installed but will not have payments made from their account. The amount taken is ridiculously small as to avoid notice, the equivalent of $3 a month. ZNIU leverages root access for its SMS related actions, as to interact at all with SMS an application would normally need to be granted access by the user. It can also infect other applications installed on the device. All communications are encrypted, including the rootkit payloads downloaded on the device.
Πηγή : XDA-Developers