Remote Android Rowhammer attack possible, but scope limited

Rowhammer attacks causing memory bit flips have traditionally been difficult to execute, but a new proof of concept for the Android Rowhammer attack shows the attack is possible to launch remotely.

Pietro Frigo, Cristiano Giuffrida, Herbert Bos and Kaveh Razavi, members of the VUSec research group at Vrije Universiteit in Amsterdam, detailed how a Rowhammer attack they call GLitch can be launched against Android devices simply by luring the target to a crafted malicious website. This makes the new Android Rowhammer attack developed by the group the first instance of a remotely executable Rowhammer attack, unlike previous Android attacks such as Drammer.

The researchers wrote in their research paper, "Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU," they were able to successfully exploit two devices running on the Snapdragon 800/801 series systems-on-a-chip (SoCs) with OpenGL 2.0. However, the effectiveness of the attack may be somewhat limited because those Snapdragon chips are four years old and OpenGL 2.0 was replaced by OpenGL 3.0 in Android 4.3. Versions of Android older than 4.3 currently make up around 5% of devices in the wild, according to Google, with the number of exploitable devices further limited to devices based on the Snapdragon processors.

Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, said it is unclear how this research could affect current users.

Threat actors that have huge resources could pick up the research, find new potential vulnerabilities, weaponized them and direct them against select targets.

"It does seem that there is a limited pool of devices containing the right CPU and OpenGL combo necessary to pull off the attack. However, even if Firefox and Chrome have disabled -- in the latest builds -- the WebGL extension that was abused by the researchers, it's conceivable that other similar vulnerabilities could be found and exploited," Arsene told SearchSecurity. "While newer smartphones have in place mitigations designed to prevent bit flipping, such as target row refresh or error correcting code, it's unclear if the research will be able to dodge these protection methods as well."

Arsene couldn't discount the proof-of-concept Android Rowhammer attacks as a launching point for advanced threat actors, though.

"The average users should be safe from these types of attacks, as it takes a considerable amount of work and know-how to come up with a successful and mass-deployed attack. Based on the current research, the attack seems very expensive to pull off and somewhat unreliable," Arsene said. "However, this proof of concept instead of being used for mundane attacks, threat actors that have huge resources could pick up the research, find new potential vulnerabilities, weaponized them and direct them against select targets."