Android Security

Dirty COW Vulnerability: Everything You Need to Know to Stay Secure 

Abhishek Kurve 26-01-2018

Discovered in late 2016, the Dirty COW is a computer security vulnerability that affects all Linux-based systems. The surprising thing is that this kernel-level flaw has existed in the Linux Kernel since 2007, but was only discovered and exploited in 2016.


Today, we’ll see what exactly is this vulnerability, the systems it affects, and how can you protect yourself.

What Is Dirty Cow Vulnerability?

Dirty COW vulnerability is a type of privilege escalation exploit, which essentially means that it can be used to gain root-user access What Is SU & Why Is It Important to Using Linux Effectively? The Linux SU or root user account is a powerful tool that can be helpful when used correctly or devastating if used recklessly. Let's look at why you should be responsible when using SU. Read More on any Linux-based system. While security experts claim that such kinds of exploits are not uncommon, its easy-to-exploit nature and the fact that it has been around for more than 11 years is pretty worrisome.

In fact, Linus Torvalds acknowledged that he had discovered it in 2007, but disregarded it considering it a “theoretical exploit.”

Dirty COW gets its name from the copy-on-write (COW) mechanism in the kernel’s memory management system. Malicious programs can potentially set up a race condition to turn a read-only mapping of a file into a writable mapping. Thus, an underprivileged user could utilize this flaw to elevate their privileges on the system.

By gaining root privileges, malicious programs obtain unrestricted access to the system. From there on, it can modify system files, deploy keyloggers, access personal data stored on your device, etc.


What Systems Are Affected?

Dirty COW vulnerability affects all versions of the Linux Kernel since version 2.6.22, which was released in 2007. According to Wikipedia, the vulnerability has been patched in kernel versions 4.8.3, 4.7.9, 4.4.26 and newer. A patch was released in 2016 initially, but it didn’t address the issue fully, so a subsequent patch was released in November 2017.

To check your current kernel version number, you can use the following command on your Linux-based system:

uname - r

Major Linux distros like Ubuntu, Debian, ArchLinux have all released the appropriate fixes. So if you haven’t already, make sure to update your Linux kernel 5 Reasons Why You Should Update Your Kernel Often [Linux] If you're using a Linux distribution like Ubuntu or Fedora, you're also using the Linux kernel, the core that actually makes your distribution a Linux distribution. Your distribution constantly asks you to update your kernel.... Read More .

Dirty COW Vulnerability: Everything You Need to Know to Stay Secure  1 dirty cow vulnerability android linux 1
Image Credit: Wikipedia


Since most of the systems are now patched, the risk is mitigated, right? Well, not exactly.

While most of the mainstream systems have been patched, there are several other Linux-based embedded devices Linux Is Everywhere: 10 Things You Didn't Know Were Penguin-Powered If you think the world rests on Windows, think again. Linux plays a crucial role in keeping our world going. Read More that are still vulnerable. Most of these embedded devices, especially cheap ones, never receive an update from the manufacturers. Unfortunately, there’s not much you can do about it.

Therefore, it’s pretty important to buy Internet of Things (IoT) devices The 10 Best Internet of Things Gadgets You Must Try Just a decade ago, gadgets like these were the stuff of imagination. But now, Internet-connected toys, headphones, luggage and more are widely available. Here are some amazing products you should definitely check out! Read More from reputable sources that provide reliable after-sales support.

dirty cow vulnerability android malware


Since Android is based on the Linux kernel, a majority of Android devices are also affected.

How Dirty COW Affects Android Devices

ZNIU is the first malware for Android based on the Dirty COW vulnerability. It can be utilized to root any Android devices up to Android 7.0 Nougat. While the vulnerability itself affects all versions of Android, ZNIU specifically affects Android devices with the ARM/X86 64-bit architecture.

According to a report from Trend Micro, over 300,000 malicious apps carrying ZNIU were spotted in the wild, as of September 2017. Users across 50 countries including China, India, Japan, etc. are affected by it. Most of these apps disguise themselves as adult apps and games.

How the ZNIU Android Malware Works

The ZNIU-affected app often appears as a soft-porn app on malicious websites, where users are tricked into downloading it 5 Ways Visiting Adult Websites Is Bad for Your Security & Privacy While pornography is often discussed in the context of morality, there's a huge security-and-privacy angle that is often overlooked. If you know what to look out for, the safer you'll be. Read More . Since Android makes it easy to sideload apps, a lot of novice users fall into this trap and download it.


Dirty COW Vulnerability: Everything You Need to Know to Stay Secure  3 dirty cow vulnerability android linux 1
Image Credit: Trend Micro

Once the infected app is launched, it communicates with its command and control (C&C) server. Then, it exploits the Dirty COW vulnerability to grant itself super-user permissions. While the vulnerability cannot be exploited remotely, the malicious app can still plant a backdoor and execute remote control attacks in the future.

After the app gains root access, it collects and sends the carrier information back to their servers. It then performs transactions with the carrier through an SMS-based payment service. Then, it collects the money through the carrier’s payment service. Researchers at Trend Micro claim that the payments are directed to a dummy company based in China.

If the target is based outside of China, it won’t be able to do these micro-transactions with the carrier, but it will still plant a backdoor to install other malicious apps.

An interesting thing about the malware is that it performs micro-transactions, around $3/month to stay unnoticed. It’s also smart enough to delete all the messages after the transaction is complete, thus making it harder to detect.

How You Can Protect Yourself From ZNIU

Google quickly addressed the issue and released a patch in December 2016 to fix this issue. However, this patch worked on devices running Android 4.4 KitKat or higher.

As of January 2018, around 6 percent of devices are still running an Android version below 4.4 KitKat.

dirty cow vulnerability android malware

While this may not sound like a lot, it still puts a fair number of people at risk.

If your device is running Android 4.4 KitKat and above, make sure that you have the latest security patch installed. To check this, open Settings > About phone. Scroll to the bottom and check Android security patch level.

dirty cow vulnerability android malware

If the installed security patch is newer than December 2016, you should be protected from this vulnerability.

Google also confirmed that Google Play Protect How Google Play Protect Is Making Your Android Device More Secure You may have seen "Google Play Protect" popping up, but what exactly is it? And how does it help you? Read More can scan for affected apps and help you stay secure. But remember that Google Play Protect requires your device to be certified to work with Google apps correctly. Manufacturers can include proprietary apps like Google Play Protect only after passing the compatibility testing. The good news is that most major manufacturers are Google-certified. So unless you got yourself a really cheap knock-off Android device, there’s not much to worry about.

Google Play Protect Product Shots 1

While Android antivirus apps 6 Android Security Apps You Should Install Today Android security apps - capable of blocking malware and phishing attempts - are necessary if you wish to run a safe and secure smartphone. Let's look at some of the best Android security apps currently... Read More can detect such elevated-permission attacks, they cannot prevent it. Anti-virus apps may be useful for other features such as anti-theft The 7 Best Android Anti-Theft Apps to Protect Your Device If your Android phone gets stolen, you'll need a way to get it back. Here are the best Android anti-theft apps. Read More , but they certainly aren’t much use in this case.

As a final precaution, you should be mindful when it comes to installing apps from unknown sources. Android 8.0 Oreo 9 Security Reasons You Should Upgrade to Android 8.0 Oreo Android 8.0 Oreo improved the security of the operating system by leaps and bounds -- and that means you need to upgrade. Read More makes installing apps from unknown sources a little bit safer, but you should still proceed with caution.

Staying Safe: The Key Takeaway

It’s no secret that the Dirty COW vulnerability affects a large number of systems. Thankfully, companies have sprung into action quickly to damage-control the situation. Most of the Linux-based systems like Ubuntu, Debian, and Arch-Linux have been patched. Google has deployed Play Protect to scan for affected apps on Android.

Unfortunately, a fair number of users running embedded systems with the affected Linux kernel will probably never receive security updates, putting them at risk. Manufacturers who sell cheap knock-off Android devices Your Chinese Smartphone Might Have A Serious Security Problem A recently discovered vulnerability in many budget Chinese handsets, which could allow an attacker to gain root access, is currently a threat to owners of Android 4.4 KitKat devices Read More are not Google-certified, thus putting their buyers at risk. Such buyers do not receive security updates, let alone Android version updates.

Therefore, it’s extremely important to skip purchasing devices from such manufacturers. If you happen to own one, it’s time to disregard it immediately. Here are some of the best Android phones The 5 Best Cheap Android Phones in 2017 Looking for an inexpensive Android phone? You've come to the right place. Read More that do not burn a hole in your pocket. The rest of us should make sure to install updates promptly and use our common sense to stay secure on the internet Understanding How to Stay Safe Online in 2016 Why do some users blindly wander the Internet with the bare minimum of online security software installed? Let's look at some commonly misconstrued security statements, and make the right security decisions. Read More .

Was your Linux system ever affected by the Dirty COW vulnerability or the ZNIU malware? Do you install security updates promptly? Share your thoughts with us in the comments below.

Related topics: Android, Linux, Online Security, Smartphone Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Will
    February 4, 2018 at 10:23 pm

    This is all good information but it is very hard to take any of you information seriously when the first command you list contains an "extra operand" error the command should be uname -r and not uname - r!

  2. Chris
    February 3, 2018 at 8:22 am

    Better still. Use Lineage, Replicant or some other trusted third party ROM (only a few others - most are not up to scratch). At least you will get updates and as a bonus, you can ditch Google services, which is the biggest pile of malware of them all. (Just like the biggest piece of Windows malware is Windows 10!) :)

  3. dragonmouth
    January 26, 2018 at 11:10 pm

    " The surprising thing is that this kernel-level flaw has existed in the Linux Kernel since 2007, but was only discovered and exploited in 2016."
    What is also surprising is that you are writing about it only in 2018, not sooner.

    • Abhishek Kurve
      January 31, 2018 at 9:29 am

      Trend Micro reports that over 300,000 apps infected with ZNIU are still out there in the wild. The report is just 3 months old, which means that it's still very much a problem on a lot of Linux-devices out there!