DRAMMER: Rowhammer Attack Comes To Android, Can Root Millions Of Android Devices

DRAMMER: Rowhammer Attack Comes To Android, Can Root Millions Of Android Devices

DRAMMER: Rowhammer Attack Comes To Android, Can Root Millions Of Android Devices

Short Bytes: A team of researchers at VUSec Lab has successfully demonstrated Drammer attack which is an implementation of the Rowhammer attack for ARM-based devices. The attack has the potential to root millions of Android devices from renowned brands like Samsung, LG, Motorola, OnePlus, Xiaomi, etc.

The Rowhammer attack has been there for a while but it’s mainly thought of as a vulnerability for computers. On PCs, the attack is used to hammer (access) the same row of DRAM memory again and again until the memory cells change their state. This allowed the Google Project Zero team gain kernel level privileges.

The same attack has been crafted for Android devices, most of which run on ARM-based hardware. The work has been done by the researcher from VUSec Lab at the Vrije Universiteit Amsterdam. “Drammer is the first Android root exploit that relies on no software vulnerability,” wrote the researcher in a blog post.

So, what is DRAMMER?

Drammer, stands for Dynamic Rowhammer, has the similar functionality as its PC counterpart. It is an instance of the Flip Feng Shui exploitation technique. Once in action, it tries to irritate or hammer a DRAM memory cell row. As you know the memory is not a physical thing but electric charge. The irritated row can leak its electric charge to an adjacent row causing its value to change i.e. from 0 to 1 or 1 to 0. The process is known as bit flipping.

This change alters the data stored in the memory cell. If the process is done carefully, root privileges can be acquired on the target Android device. A detailed description about Drammer has been published in the paper, “Drammer: Deterministic Rowhammer Attacks on Mobile Platforms“, authored by Victor van der Veen et al.

Recommended: What Is Rooting? Is Rooting My Android Smartphone Illegal?2016/10/18

The attacker can get an application installed on the target device which doesn’t even ask for any user permissions. During the demos, the researchers clubbed Drammer with Stagefright (used for remote code execution).

“By tricking the victim into opening a malicious URL, an attacker gains remote shell access to the vulnerable device. Since the exploited mediaserver is not running with root privileges, however, he still cannot access /sdcard, for example. The attacker then launches the Drammer exploit which does give him full control over the device.”

Here is the demo video:

Is my phone affected?

Researchers wrote that popular devices from big brands like Samsung, LG, Nexus, Motorola and Xiaomi are vulnerable to the drammer attack. In order to test the attack on various devices, they have created an android app which they call Drammer Test App in collaboration with Univerisity of California, Santa Barbara. Out of the 27 devices, the researchers were able to flip bits on 18 of them.

On the device, the app detects whether any bit flips were made, and sends anonymized data to the researchers if the test is successful. However, the researchers acknowledge the fact that their app falls short on some technical aspects and it is being improved. “Your phone might still be vulnerable, even if the app detected zero flips!”.

It is not available on Google Play Store. The researchers have given the download link in the blog post itself.

Drammer is here, what’s next?

A ray of hope given by the researchers is that Drammer attack is less effective for LPDDR4 memory. “This is because the LPDDR4 standard includes optional hardware support for the so-called target row refresh mitigation.”

On July 25, the researcher notified Google’s Android Security Team about the hardware-level vulnerability (CVE-2016-6728) for which they received a bug bounty cash reward. Google marked the vulnerability as critical. In was on October 3, when Google informed the hardware partner about the issue. A patch is scheduled to arrive in the November Android Security Bulletin.

“Note that, although Google’s patch round from November complicates our attack, it does not eradicate it. We hope to see a more sophisticated fix soon.”

The demo video of LG Nexus 5 running Android 6.0.1 with latest security patches:

If you have something to add, tell us in the comments below.

Read More

What is root – Gary explains

What is root – Gary explains

What is root – Gary explains

You may have heard of the term “rooting your phone” and you may have seen that some apps on the Google Play Store require “root” access to work. But what is root? What is “rooting” your phone and why would you do it? Let’s find out!

The majority of operating systems including Windows, OS X and Linux have the concept of system privileges where processes, and therefore users, run at different privilege levels which determine what the process is allowed or prohibited from doing. On some OSes this scale of system privileges is fine grained with a range of privileges from the lowest to the highest. On Unix-like operating systems the difference between an unprivileged user and a privileged user is more black and white. A process or user is either unprivileged, or privileged, with no ambiguity in between. A privileged user on Linux is known as a superuser or root.

Read More

Android Pay no longer works with latest root methods

Android Pay no longer works with latest root methods

Android Pay no longer works with latest root methods

One of the major drawbacks of rooting your phone these days is losing access to certain apps. Ones that work with secure data, such as your bank details, often won’t run on rooted devices, although that hasn’t stopped the development community from finding ways around this. However, it seems that Google is now wise to the latest trick and will be updating its server side system to prevent rooters from using app like Android Pay.

Highly regarded developer Chainfire came up with a root method that avoids tampering with the /System memory partition, meaning that the method didn’t trigger SafetyNet detection used by apps including Android Pay. This weekend through, Google appears to have begun rolling out a server side update to counteract this exploit, which is disabling use of SafetyNet protected apps even when using this root method. As this update is being applied to the off-device servers, there’s nothing that root users can do about it. The jig is up, at least for now.

Read More

Ghost Push malware can root devices and install unwanted apps – here is the fix

Ghost Push malware can root devices and install unwanted apps – here is the fix

Ghost Push malware can root devices and install unwanted apps – here is the fix

A common rule of thumb is that those who stick with the Google Play Store are safe from malware and other dangers. This is mostly the case, but once in a blue moon we get some exceptions. Such is the case for Ghost Push, a trojan malware that hides itself inside popular apps and has managed to make its way to official app markets (yes, this includes our beloved Play Store).

This malicious code was discovered by Cheetah Mobile on September 18th. Things spread quickly and the malware managed to infect 900,000 devices, which really is a significant number. This includes smartphones and tablets from many markets and manufacturers. We can thank the quick proliferation to the nature of the software. Aside from bypassing security measures established by the Google Play Store and other markets, Ghost Push was able to obtain full root and control smartphones and tablets at its fullest. This also made it nearly impossible to get rid of.

Read More

Google let root certificate for Gmail expire, causing e-mail hiccups

Google let root certificate for Gmail expire, causing e-mail hiccups

Google let root certificate for Gmail expire, causing e-mail hiccups

On Saturday morning, one of Google’s root certificates expired, causing millions of users’ mail clients to suddenly protest. The certificate for Google’s intermediate certificate authority (Google Internet Authority G2) was used to issue Gmail’s certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages. While the problem affected most Gmail users using PC and mobile mail clients, Web access to Gmail was unaffected.

Google reported on the company’s Apps status page that engineers had been alerted to “issues with Gmail” at 1:21pm EDT on Saturday. In a later status update, a company spokesperson noted that “affected users are able to access Gmail but are seeing error messages and/or other unexpected behavior” and that “smtp.gmail.com is displaying an invalid certificate.”

Read More

The new SuperSU beta from Chainfire is open for testing, working to fix root apps in Lollipop

The new SuperSU beta from Chainfire is open for testing, working to fix root apps in Lollipop

The new SuperSU beta from Chainfire is open for testing, working to fix root apps in Lollipop

Android 5.0 Lollipop brings a massive number of improvements to the table, and this goes equally for security, in large part due to its tweaked implementation of SELinux. Of course, the downside is that getting root and using root apps with Lollipop is much more challenging than past versions of Android.

In particular, there are quite a few rooted apps that are broken with Android 5.0. Thankfully the newest version of SuperSU from Chainfire looks to fix many of these issues. If you’re feeling brave, you can download SuperSU v.2.23 directly from Chainfire’s site, though it’s currently just a beta version. Testers are of course welcome, as it speeds up the bug-fixing process.

Read More

Root users rejoice – SuperSU now supports Android L

Root users rejoice – SuperSU now supports Android L

Root users rejoice – SuperSU now supports Android L

SuperSU’s popularity stands powerful for a reason. The Chainfire team is amazingly dedicated, making their Superuser manager one of the best options around. An important factor is always timing, and we can be sure developer Chainfire is also not lacking in that department.

SuperSU has been updated to version 2.01, bringing support for the Android L Preview. Most won’t be able to take advantage of it, as Android L has yet to reach its completion. The preview version can now get root support from SuerSU, though. It’s a small update, as it revolves around the premature Android version. We won’t find any other improvements or fixes.

Read More

Change your stock launcher icons, no root required

Change your stock launcher icons, no root required

Change your stock launcher icons, no root required

Customization is one of the stronger points of Android. With a multitude of tweaks in UI and functionality, the platform enables users to incorporate more of their personality and needs into their devices, compared with, say, iOS. While for some, customization is skin-deep — like themes, wallpapers and graphics — others take rooting their devices as an avenue to do even more drastic customizations.

But even supposedly skin-deep customizations might require root. For instance, changing icon packs in stock launchers might sound mundane, but in most cases would require root. If you wanted to change icons, you could either switch to popular launchers like Nova, GoLauncher or Apex. At least, until now. An app called Beautiful Icon Styler will customize several stock launchers with custom icon packs, without the need for a rooted device. These include Google Now Launcher and proprietary launchers by Samsung, Motorola, HTC and LG.

Read More

Chromecast rooted, apparently runs Android from Google TV, not Chrome OS

Chromecast rooted, apparently runs Android from Google TV, not Chrome OS

Chromecast rooted, apparently runs Android from Google TV, not Chrome OS

Unsurprisingly, the Chromecast has been rooted by a team of hackers who were apparently able to reveal that the device runs rather Android than Chrome OS, or better said a “modified Google TV release.”

Initially, Google said the device runs a stripped-down version of Chrome OS, but the GTVHacker crew thinks otherwise:

Read More

New Amazon Kindle Fire HD gets rooted with an old expoit

New Amazon Kindle Fire HD gets rooted with an old expoit

New Amazon Kindle Fire HD gets rooted with an old expoit

The big talk around Android regarding the Amazon Kindle Fire HD is that the bootloader can’t be unlocked. For regular people who don’t intend on doing some serious hacking on their Kindle Fire HD, this doesn’t mean all that much. If you like to run at the bleeding edge of Android development, though, an unlocked bootloader is much more important. The first steps to get a bootloader unlocked have been taken, as the Kindle Fire HD already has root.

That’s not bad for a tablet that is still in the pre-order stage of its life cycle. Even if it were already released, you cannot do much with root access just yet. It is also worth noting that there is no custom recovery like ClockworkMod or TWRP available yet. So, essentially, there won’t be any ROM flashing going on after this method, you’ll simply have root access.

Read More