After Windows & Linux, Rowhammer takes over Android as well

Oct 24, 2016 21:10 GMT  ·  By

Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices, and even combine it with existing Android vulnerabilities such as Bandroid and Stagefright.

For the past two years, since researchers discovered the attack, the term Rowhammer has been used to describe a procedure through which attackers launch read & write operations at a row of memory bits inside a RAM memory card.

The repeated read and write operations cause an electromagnetic field to appear, which changes local memory bits from 0 to 1 and vice versa, in a process called bit flipping.

In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines.

It's now Android's turn to get pwned by Rowhammer

The same researchers that created the Edge and Linux VM attacks are now back with a new Rowhammer attack, which they say is effective at taking over smartphones running the Android operating system.

For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack.

The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable.

Users can test if their device is vulnerable via a special app which the research team has put together.

Attack works on any ARM-based device

Researchers say that not all devices will show up as vulnerable because the app chooses random memory portions to test, so a negative test means users might still be using vulnerable devices.

Unlike the Rowhammer attack on Edge and Linux VMs, the Rowhammer attack version for Android devices doesn't leverage advanced memory management features, such as memory deduplication, and uses a technique called "deterministic Rowhammer exploitation," hence the attack's name of Drammer. The general nature of this attack method has allowed researchers to exploit devices which they previously thought to be unreachable.

The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips.

Google has prepared a patch

The team of scientists from three universities from Holland, the US, and Austria, said they informed Google of their researcher in late July.

Google has notified Android OEMs of Drammer in October and prepared a patch to prevent attacks, which it will release in Android's November Security Bulletin.

Researchers said they don't plan to release the exploit code that weaponizes the Rowhammer attack in order to root Android devices. Below are videos recorded by researchers showing Drammer attacks on Android smartphones.