On Thursday, researchers in the VUSec research group at Vrije Universiteit in Amsterdam published a paper that details a new form of the Rowhammer attack they call "GLitch." Like previous versions, it uses Rowhammer's trick of inducing electric leaks in memory to change ones to zeros and vice versa in the data stored there, so-called "bit flips." But the new technique can allow a hacker to run malicious code on some Android phones when the victim simply visits a carefully crafted web page, making it the first ever remote, smartphone-targeted implementation of the Rowhammer attack.
Known since at least 2012, the issue was first exploited by Google's Project Zero researchers in early 2015, when they pulled off remote Rowhammer attacks on computers running Windows and Linux.
Last year, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam demonstrated that the Rowhammer technique could also work on Android smartphones, but with a major limitation of a malicious application being first installed on the target phone.
Since the malicious code runs only within the privileges of the web browser, it can spy on user's browsing pattern or steal their credentials. However, the attacker cannot gain further access to user's Android phone.
Here's How GLitch Attack Works
Currently, GLitch targets smartphones running the Snapdragon 800 and 801 system on a chip—that includes both CPU and GPU—meaning the PoC works only on older Android phones like the LG Nexus 5, HTC One M8, or LG G2. The attack can be launched against Firefox and Chrome.
"If you're wondering if we can trigger bit flips on Chrome the answer is yes, we can. As a matter of fact, most of our research was carried out on Chrome," the researchers said. "We then switched to Firefox for the exploit just because we had prior knowledge of the platform and found more documentation."
No Software Patch Can Fully Fix the Rowhammer Issue
Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers say the Rowhammer threat is not only real but also has the potential to cause some real, severe damage.
Although there's no way to fully block an Android phone's GPU from tampering with the DRAM, the team has been working with Google on ways to solve the problem.
For more in-depth details on the new attack technique, you can head on to this informational page about GLitch and this paper [PDF] published by the researchers