A new tool threatens to expose a huge swath of Android devices to serious risk. The attack called Drammer was devised by a team of researchers in Amsterdam and is based on the Rowhammer bug, which is a vulnerability that lets hackers manipulate data stored in memory chips.
The exploit has successfully pushed past key security defenses that protect an Android device from malicious codes. The researchers embedded it in an app that requires no permissions. Once, downloaded, it then proceeds on systematically taking over core parts of the operating system.
"The attacks that we are publishing now show that we need to think differently about how we protect software," Victor van der Veen, a member of the research team working for the University of Vrije, said in a Wired report. "A thing like Rowhammer shows that at any given time a trap can come up that nobody ever thought of."
Rowhammer works by attacking the mobile device's dynamic random access memory (DRAM) through repeated access to a row of transistors on a memory chip. The process can create damage as it causes electricity to leak causing a bit to flip. The systematic hammering attack ultimately allows attackers to subtly tamper data and gain control of the device.
This is critical because it means that the problem cannot be solved by a simple software update or conventional anti-hacking measures. The computer chip has to be replaced in order to eliminate the risk. To top it all, once hardware change has been instituted, there is the possibility that the user experience is permanently compromised.
Presently, the researchers has identified ARM-based devices and those that use x86 x64 architecture as particularly vulnerable. The researchers tested several devices and those that were found at risk include the Google Nexus 5, LG G4 and OnePlus One, among others. This information is a bit troubling to some because certain iPhone models are also equipped with the same memory chips.
There is still no known security fix for Rowhammer. Google has promised to look into the issue. In the meantime, the problem is threatening to blow over because it is also said to be effective when used to hack cloud platfomrs and browser application for the PC.
"The design is very general and applies not just on mobile platforms but perhaps even in the cloud, even in the browser on desktop computers," Cristiano Giuffrida, a member of the research team, said in the Wired report. "So the impact of this attack is much broader than just mobile phones."
The researchers are currently developing an app that can determine whether a phone is vulnerable to Rowhammer.