The Rowhammer bug that can threatens millions of Android devices: Experts reveal 'bit flip' flaw that attacks memory chips
- Experts created an attack that uses an existing bug called Rowhammer
- Called Drammer, it takes advantage of handset's RAM chips weak design
- It installs an app in the phone, which then lets hackers control hardware
- 27 Android handsets from different manufactures were tested
- Successfully rooted specific Nexus, Moto G, Samsung OnePlus handsets
Researchers have devised a new method that infiltrates Android devices without exploiting software vulnerabilities.
Dubbed Drammer, this attack employs an existing bug known as Rowhammer and takes advantage of RAM chips' weak physical design – allowing hackers to easily alter memory.
This app doesn't require permission for installation, which gives cyber criminals access to millions of Android handsets including devices from Google, Samsung, LG and Motorola.
Scroll down for video
Drammer is an attack that employs an existing bug known as Rowhammer and takes advantage of RAM chips' weak physical design. Pictured is an LG Nexus 5 at the moment it is rooted using Rowhammer-induced bit flips
This vulnerability derives from the push so many manufactures make to add more dynamic random-access memory (DRAM) capacity onto the every decreasing chips.
'Our work is the first to show that Rowhammer is possible on mobile, ARM-based hardware,' said researchers in the VUSec Lab at Vrije Universiteit Amsterdam in a report.
'Drammer is the first Android root exploit that relies on no software vulnerability and is an instance of the Flip Feng Shui exploitation technique.'
Rowhammer is a hardware bug that lets hackers alter data in the electronic's memory without actually accessing - it does so by reading its location.
The new attack developed by researchers does not require the user's permission, allowing it to inconspicuously install the targeted app, reports Ars Technica.
Rowhammer changes certain bits of data in a way that completely roots name brand Android devices from LG, Motorola, Samsung, OnePlus, and possibly other manufacturers.
'Until recently, we never even thought about hardware bugs [and] software was never written to deal with them,' one of the researchers, Victor van der Veen, wrote Dan Goodin with Ars Technica in an e-mail.
'Now, we are using them to break your phone or tablet in a fully reliable way and without relying on any software vulnerability or esoteric feature.'
'And there is no quick software update to patch the problem and go back to business as usual.'
This app doesn't require permission for installation, which could give cyber criminals access to millions of Android handsets including Nexus, Samsung, LG (pictured is the LG G4 that was compromised during experiments) and Motorola.
The researchers tested 27 Android devices from different manufacturers, 21 using ARMv7 (32-bit) and six using ARMv8 (64-bit) architectures.
They managed to flip bits on 17 of the ARMv7 devices and one of the ARMv8 devices, which means they are vulnerable to the attack.
The team successfully rooted the following handsets: the Nexus 4, Nexus 5, and G4 from LG; Moto G models from 2013 and 2014 made by Motorola; the Galaxy S4 and Galaxy S5 from Samsung; and the One from OnePlus.
However, they also found that the results were inconsistent - only 12 of the 15 Nexus 5 models were successfully rooted, while only one of two Galaxy S5 were compromised.
Researcher say they notified Google about the vulnerabilities on July 25, however, it is believed that Google did not notify their hardware partners about the flaws until October 2.
The new attack developed by researchers does not require the user's permission, allowing it to inconspicuously install the targeted app. It allows hackers to alter memory, on a Samsung Galaxy S5 for example, without actually accessing it
The Android Security team said it would issue a partial fix for the flaw (CVE-2016-6728) with its November security bulletin.
Researchers explained that Google's patch will make it much harder for an attacker to launch a Drammer attack, but it does not eradicate it.
'We hope to see a more sophisticated fix soon,' according to researchers.
The team has also developed a separate app that tests devices for the Raowhammer bug, which also allows them to share their results.
This app uses a native binary for which we also released the source code and uploads anonymized output.
Drammer was a collaboration with the University of California, Santa Barbara hwo showed how Stagefright mitigation techniques can be easily bypassed using a Drammer attack.
'By tricking the victim into opening a malicious URL, an attacker gains remote shell access to the vulnerable device,' the researchers wrote.
'Since the exploited mediaserver is not running with root-privileges, however, he still cannot access /sdcard, for example.
'The attacker then launches the Drammer exploit which does give him full control over the device.'
Most watched News videos
- Dramatic scenes as group of snakes pursue fleeing Iguana
- Funnel web spider all wrapped up after encounter with redback
- Horrific moment child gets crushed underneath falling door
- Snakes on a plane! Snake appears during Aeromexico flight
- Is this the creepy moment the corpse of a girl OPENS her eyes?
- Man creates cosy home made entirely from shipping containers
- Moment furious van driver vents at group of motorcyclists
- Mother shaves daughters hair after she 'bullies cancer girl'
- Paw-somely cute moment Belle the dog gives kisses to baby boy
- Horrifying moment white 'landowner' stuffs black man in coffin
- Dramatic footage shows police car pursue fleeing drug dealer
- Police release footage of Craigslist murderer preparing home
- ‘You can’t review 650,000 new emails in eight days!’ Furious...
- Schizophrenic woman is charged with murder after 'shoving'...
- EXCLUSIVE: Troubled woman with a history of drug use who...
- Are YOU part of the shrinking middle class? Here's how much...
- EXCLUSIVE: Senior adviser Valerie Jarrett has convinced...
- DNC staffers wrote questions for CNN anchor Wolf Blitzer...
- NATO puts 300,000 troops on 'high alert' in readiness for a...
- Why these enormous snowballs in Siberia could mean America...
- It's going to the wire: Clinton will campaign at MIDNIGHT as...
- Do they know something they're not admitting to? Clinton...
- Boy imprisoned in his mother's attic and starved skeleton...
- Snakes on a plane! Horrified passengers leap out of their...