Rooting, Flashing, & Bootloader Exploits

Troubleshooting Dirty COW Exploits: Diagnosing Compromised Android Systems

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Understanding Dirty COW on Android

The “Dirty COW” vulnerability (CVE-2016-5195) sent ripples through the Linux world, including Android, upon its discovery in 2016. This critical privilege escalation flaw allowed an attacker to gain write access to otherwise read-only memory mappings, effectively enabling them to modify files on the system that they should not have access to, even as an unprivileged user. For Android devices, this translated into a potential avenue for attackers to gain root privileges, install persistent malware, or tamper with the operating system’s integrity.

Dirty COW exploits a race condition in the Linux kernel’s copy-on-write (COW) mechanism. When a process attempts to write to a read-only memory page that is shared with another process, the kernel typically makes a private, writable copy of that page. The vulnerability arises from a race between the madvise(MADV_DONTNEED) system call and the COW mechanism, allowing an attacker to force the kernel to write to the original read-only page instead of a private copy. This can be abused to overwrite critical system files, like /system/bin/su or any SUID binaries, effectively granting root access to the attacker’s process.

Why Dirty COW Still Matters in the Android Ecosystem

While patched in later kernel versions (Linux kernel 4.8 and newer, and backported to many older stable branches), Dirty COW remains a relevant threat for a significant portion of Android devices. Millions of older smartphones and tablets, especially those no longer receiving official security updates, continue to run vulnerable kernel versions. Furthermore, some custom ROMs, particularly those based on older Android versions or kernels, might also inadvertently reintroduce or fail to patch this vulnerability adequately.

For an attacker, a Dirty COW exploit offers a powerful mechanism for persistence. Once root access is achieved, even if temporarily, a malicious actor can modify system files, inject rootkits, or disable security features, making the compromise difficult to detect and remove. Diagnosing such an exploit requires a deep understanding of Android’s underlying Linux architecture and careful inspection of system behavior and files.

Symptoms of a Potentially Compromised Android Device

Identifying a Dirty COW compromise, or any root-level compromise, can be challenging as attackers often try to remain stealthy. However, certain anomalous behaviors can indicate a system has been tampered with:

  • Unexpected Root Access: Apps gaining root privileges without explicit user consent or prompts.
  • Unusual System Behavior: Frequent crashes, random reboots, excessive battery drain, or device slowdowns without a clear cause.
  • Modified System Files/Apps: Appearance of unknown apps with system-level permissions, or core system apps exhibiting modified behavior.
  • Suspicious Network Activity: Unexplained data usage, connections to unknown servers, or ads appearing in unexpected places.
  • Security Tool Inconsistencies: Antivirus or security apps failing to scan properly, crashing, or reporting issues that cannot be resolved.

Diagnosing Dirty COW Exploitation on Android

A systematic approach is crucial when investigating a potential Dirty COW exploit. The following steps involve using the Android Debug Bridge (ADB) to inspect various aspects of the device’s operating environment.

Step 1: Kernel Version Check

The first step is to determine if the device’s kernel is even susceptible to Dirty COW. Vulnerable kernel versions generally range from Linux kernel 2.6.22 to 4.8 (specifically before 4.8.0-rc8). Many Android kernels are custom, so it’s essential to check the reported version string.

adb shell cat /proc/version
adb shell uname -a

Look for the kernel version number. If it falls within the vulnerable range and hasn’t received backported patches (which might not be explicitly stated in the version string), the device is potentially vulnerable.

Step 2: Scrutinizing System Logs for Anomalies

System logs (logcat) can provide valuable clues about processes attempting to gain escalated privileges, system file modifications, or suspicious activities. Look for keywords that might indicate privilege escalation attempts or unusual system calls.

adb logcat -d | grep -E "dirtycow|cve-2016-5195|permission denied|failed to exec|su|root|exploit|madvise"

While `dirtycow` might not appear directly, `permission denied` followed by a successful execution, or repeated `madvise` calls from a suspicious process, could be red flags. Monitor `logcat` in real-time if possible, while observing device behavior.

Step 3: Examining Running Processes and Filesystem Integrity

An exploited device often exhibits unusual processes running with elevated privileges or has critical system files modified.

  1. Identify Suspicious Processes: Look for processes running as root or system that are unfamiliar, consume excessive resources, or have unusual command-line arguments.
    2. adb shell ps -A -o USER,PID,PPID,VSZ,RSS,STAT,START,COMMAND

    Pay close attention to processes originating from unexpected paths or with names resembling legitimate services but slightly altered.

  2. Check for Modified System Files: Dirty COW is often used to modify SUID binaries (like passwd, su) or other critical system components within /system. An attacker might replace a legitimate binary with a malicious one or add their own.
    3. # Check recently modified files in /system (e.g., last 7 days)
adadb shell find /system -type f -mtime -7 -exec ls -l {} ;

# Check for unexpected 'su' or SUID binaries
adadb shell ls -l /system/bin/su
adadb shell find /system -perm -u=s -exec ls -l {} ;

    Compare checksums of critical system binaries (if you have known good references) or look for changes in file sizes, modification dates, or unexpected ownership/permissions. If /system/bin/su exists without explicit user rooting, it’s a major red flag.

  3. Inspect Memory Mappings: Advanced attackers might try to hide their traces in memory. While more complex, inspecting /proc/pid/maps for suspicious processes can reveal dynamically linked malicious libraries or unexpected writable regions.
    4. # Example: Check memory maps for a suspicious PID
adadb shell cat /proc/<PID>/maps

Step 4: Network Activity Analysis

Compromised devices often communicate with command-and-control (C2) servers. Monitoring network connections can reveal exfiltration attempts or C2 communication.

adb shell netstat -antp

Look for active connections to unfamiliar IP addresses or ports, especially from processes you’ve identified as suspicious. Pay attention to outgoing connections when the device is idle.

Step 5: Leveraging Specialized Android Security Tools

While not definitive, certain Android security apps can aid in diagnosis. “Root Checker” apps might confirm unexpected root status. More comprehensive security suites might detect unusual app behaviors or system integrity issues, though rootkits often try to evade these tools.

  • Utilize reputable antivirus/anti-malware solutions (e.g., from Google Play Protect, Malwarebytes) for initial scans.
  • Consider integrity checkers if available for your device/ROM.

Remediation and Prevention Strategies

If you suspect or confirm a Dirty COW compromise, immediate action is necessary:

  • Update Your Device: The most effective remediation is to update your Android device to the latest available security patch. This will typically include a patched kernel version that addresses Dirty COW and other known vulnerabilities.
  • Factory Reset: If updating is not an option or the compromise is severe, a factory reset (wiping all data) is often the safest bet to remove persistent malware. Ensure you back up important data first, but be wary of restoring app backups that might reintroduce malware.
  • Lock Bootloader (if applicable): If you unlocked your bootloader for rooting or custom ROMs, consider relocking it after a clean install to prevent further tampering, assuming the firmware is trustworthy.
  • Use Trusted Custom ROMs: If your device no longer receives official updates, opt for well-maintained custom ROMs known for their timely security updates and use of modern kernel versions.
  • Practice Prudent App Installation: Only download apps from trusted sources (Google Play Store) and be cautious about granting excessive permissions.

Conclusion

While the Dirty COW vulnerability is several years old, its potential impact on unpatched or legacy Android devices remains significant. Diagnosing a compromise requires a combination of vigilance, technical understanding, and the ability to use command-line tools like ADB effectively. By systematically checking kernel versions, logs, processes, and filesystem integrity, users and security professionals can identify the tell-tale signs of exploitation and take appropriate steps to secure their devices against this persistent threat.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #ADB Diagnostics #Android Security #CVE-2016-5195 #Dirty COW #Privilege Escalation

Related Technical Guides

Mastering Android Bootloader: Manual Methods to Disable DM-Verity and Force Encryption

May 30, 2026

Inside the `su` Binary: A Forensic Analysis of Root Escalation Traces on Android

May 30, 2026

Understanding A/B Partitions: Advanced Fastboot Flashing Techniques for Seamless Updates

May 30, 2026