Google last year promised that it rolled out a fix for the Dirty COW vulnerability in its December Android Security update. However, experts have found the first traces of the issue in an Android malware. The Dirty COW vulnerability, acronym for copy-on-write, can potentially give hackers root access to the device in a matter of seconds. Now, the ZNIU malware which uses this vulnerability has been spotted again by experts.

The malware was detected last month and was primarily targeted at countries like India and China. Though, experts claimed that the ZNIU malware was also found in Indonesia, Japan, Germany, Canada, and the US. Researchers found that over 5000 users were affected by this exploit, and claimed that no less 1200 malicious apps were laden with the ZNIU malware.

According to experts, the ZNIU malware was carried in porn apps installed from malicious websites where users were deceived into clicking a URL that downloads the malware-laden app on their devices.

Security researchers at Trend Micro Jason Gu, Veo Zhang, and Seven Shen found samples of ZNIU which appeared as AndroidOS_ZNIU. And ZNIU malware is deemed as the first malware to take advantage of the Dirty COW vulnerability in Google’s Linux-based Android OS.

“The vulnerability was discovered in upstream Linux platforms such as Redhat, and Android, which kernel is based on Linux. It was categorised as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system. Dirty COW attack on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices,” the researchers explained.

The malware then performs a transaction with the carrier through an SMS-enabled payment service, which allows the hacker to act as the owner of the device. And through the exploited mobile device, the hacker uses the ZNIU exploit to collect money through the carrier’s payment service.

Researchers have also asserted that the Dirty COW exploit can affect all versions of the Android OS. That said, the ZNIU malware that uses this exploit only affects Android devices that use ARM/X86 64-bit architecture.