“In the new Android attack, the first step was seeing whether it was even possible to flip bits on mobile phones. The researchers started by attempting Rowhammer attacks on Android phones they had root access to, and quickly observed flipped bits on test devices like the Nexus 5. Some memory chips are more resilient than others, and variables like age and temperature impact how easy it is to flip bits. Ultimately, though, flipped bits showed up in 18 of the 27 handsets they tested. The proof of concept led them to try flipping bits on phones they did not have root access to, and here, too, they succeeded.
As the group envisioned it, the DRAMMER attack would start with a victim downloading a seemingly innocuous app laced with malware to execute the hack. The researchers decided that their app would not request any special permissions—to avoid raising suspicion—and therefore would have the lowest privilege status possible for an app. This made accessing the dynamic random access memory (DRAM) difficult, but the researchers found an Android mechanism called the ION memory allocator that gives every app direct access to the DRAM. The ION memory allocator also had the added benefit of allowing the group to identify contiguous rows on the DRAM, an important factor for generating targeted bit flips. ‘This is as reliable and deterministic as it gets,’ Giuffrida says.”
Source: Elegant Physics (and Some Down and Dirty Linux Tricks) Threaten Android Phones | WIRED