Google axed massive Android adfraud botnet Chamois from Play Store
Android users in China and India were hit the hardest by the malware REUTERS/Dado Ruvic/Illustration

Android users are now under threat of being infected by a malware which leverages a major Linux vulnerability that was first publicly disclosed last year. ZNIU is now the first in-the-wild Android malware to use the Dirty Cow exploit, which comes with backdoor capabilities and allows hackers to root Android devices. The Dirty Cow exploit was discovered hiding within the Linux OS for 9 years.

The malware has been detected targeting users in over 40 countries including the US, Canada, Germany, Japan and Indonesia. However, according to security experts at Trend Micro, users in China and India were hit the hardest by the malware. The malware has already infected over 5,000 users across the globe.

ZNIU is being spread via over 1,200 malicious Android apps, which have been disguised as gaming and porn apps. Although the malicious apps are not available via Google Play, they can be downloaded via third-party websites.

Researchers say that ZNIU carrying malicious apps leveraging the Dirty Cow exploit help hackers override system restrictions to plant a backdoor and in turn provide attackers with the opportunity to remotely access infected devices in the future.

The malware's second-stage attack is currently only targeting Android users subscribed to Chinese carriers. In this stage of the attack, the malware harvests user information and communicates with the carrier via SMS to allow hackers to pose as the infected device's owner. "Through the victim's mobile device, the operator behind ZNIU will collect money through the carrier's payment service. In one of our samples, we saw in its code that payments were directed to a dummy company, which, based on network traffic, we were able to locate in a city in China," Trend Micro researchers said in a blog.

Once the transaction is complete, the malware deletes the SMS messages from the infected device, leaving no trace of the hackers' efforts to steal money. "Even though the malware operator can set the amount higher to gain more money from the exploitation, every transaction amount is deliberately set in small amounts (20 RMB or 3 USD monthly) to avoid being noticed."

Since ZNIU attacks appear to be ongoing, it is important that users take steps to remain safe from the malware. Users are recommended not to download and install apps from third-party sites, instead stick to apps already available on the official Google Play store. Here is a list of the malicious apps carrying ZNIU.