Recently, security experts found a new method to root Android phones, namely by Rowhammer vulnerability to root Android phones. In addition, the attacker can even use this vulnerability with the known system vulnerabilities Andrews (Bandroid and Stagefright) to attack the target user .

Image source: http://www.techverse.net/
Image source: http://www.techverse.net/

Dynamic random access memory (DRAM) of Rowhammer attack

When an attacker attempts to initiate Rowhammer attack, he needs to perform a malicious software, and to repeat access memory chips in a row transistor by this malware, and attacks the second step is known as “percussion” (Hammering) . When a piece of malicious software on the memory area “tap” it will affect the adjacent row of memory and cause charge leakage. Electromagnetic interference and this will eventually lead to the occurrence of other rows of memory data bit (bit) flip. In this case, the data in memory will be changed, but which also has become a new method to obtain device control.

In simple terms, Rowhammer attack refers to a new generation of DRAM memory chips repeated access row, and this operation may cause data rows adjacent memory bit flip occurs, this attack technique that will allow anyone to modify your machine’s memory save data content.

Android phones affected
To test Rowhammer attack Andrews phones, security experts build a new exploit PoC, namely DRAMMER . Test found that the new method can not only exploit successfully modify the data in many popular mobile phones, but also to successfully root the Android phones.

Researchers successfully root of Android phones, including Google’s Nexus 4 and Nexus 5, G4, and Samsung GalaxyS4 GalaxyS5, Motorola MotoG LG’s (2013/2014), as well as domestic oneplus one. But does not rule out other brands of Android phones will also be affected DRAMMER attack.

To exploit this vulnerability, security researchers have developed a specialized malware, which contains the corresponding exploit code ( see end of text links ). To avoid being detected by anti-virus software, this malicious software does not need to obtain any special user privileges to root the target phone. However, for the successful implementation of DRAMMER attack, we have to allow users to download the exploit code that contains malicious software.

In order to achieve the attack, researchers also need to get direct access to the DRAM through the mechanism Andrews system called “ION memory allocation / management”. In addition to providing direct access to the DRAM for each application outside, ION Memory Manager also allows the application to recognize adjacent rows of DRAM memory space, which is so important prerequisite for data memory bit flip occurs.

After you know this information, researchers must find a way how to use “bit flip” to the root of the target device. After obtaining the complete control of the target phone, they can be extracted from the target phone of any data.

[Paper] Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

Exploit Source Code

POC: