tl:dr; Rowhammer is a hardware vulnerability ( memory based ) that can potentially root your Android device and access data. A malicious app with zero permissions could be used to aid this

What is it? How does it work?

What is Row hammer?

• It is a vulnerability . This vulnerability was previously known ( see Project Zero [Google]) in the context of PCs / Linux (see this) and Row hammer wiki covers the technical aspects and mitigation

  
  



• Rowhammer is a hardware bug that allows attackers to manipulate data in memory without accessing it.

  
  



• What is DRAM Rowhammer Attack?

  
  
  
  

  • The Rowhammer attack involves executing a malicious application that repeatedly accesses the same "row" of transistors on a memory chip in a tiny fraction of a second in a process called "Hammering."

    
    
  
  

  • As a result, hammering a memory region can disturb neighboring row, causing the row to leak electricity into the next row which eventually causes a bit to flip. And since bits encode data, this small change modifies that data, creating a way to gain control over the device.

    
    
    
    

    • In short, Rowhammer is an issue with new generation DRAM chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row that could allow anyone to change the value of contents stored in the memory.

      
      
    
    

    • Pictorial explanation from Wiki

      
      
    
    
    
    
  
  
  
  

OK thanks ..what about Android?

• Rowhammer vulnerability for mobile devices has been reported first by vusec

  
  



• This vulnerability has been marked as critical by Google and assigned CVE-2016-6728 by Google and Google is expected to release a patch in November. Due to the nature of attack – exploiting a hardware vulnerability – implementing comprehensive patch is not easy according to vusec

  
  



• Rowhammer RAM attack for rooting Android devices, and can even be combined with existing Android vulnerabilities such as Bandroid and Stagefright. This means that an app having no permissions can potentially root Android device (see vusec paper, which also has videos demonstrating this )

  
  

How do I test if my device is affected?

• An android app Drammer (Deterministic RowhAMMER) has been developed by vusec and can be side loaded. (See edit )

  
  



• The app does not give you a nice popup that tells you whether you are vulnerable or not. You can easily spot induced bit flips by glancing over the output and looking for the obvious keyword FLIP. Sample output from my device below

  
  

• Your phone might still be vulnerable, even if the app detected zero flips! Because of current implementation of app and it may not have fully tested memory , which implies results may not be conclusive

  
  



• Hammertime Simuator is also available on GitHub

  
  

Vusec test results

• Not every phone is susceptible for the Rowhammer bug. 27 devices and were able to flip bits on 18 of them. In the table below, you can find statistics on devices that were tested so far.

• Is there an Android phone that is not vulnerable? ( See edit 2 below)

I don't know and there has been no report on internet by researchers or OEM's claiming that they are not vulnerable. Also see this related question Are there any rowhammer resistance phones?

Edit 1 I got a warning from Google against this Drammer app though I sideloaded from official vusec link

Edit 2: Based on the paper submitted on 26 Oct 16 by the authors in the annual CCS 2016 , which is quite beyond my understanding, my conclusions are :

1. There are many countermeasures both software and hardware

   
   



2. Following devices were shown to be not vulnerable in the tests and as mentioned in the conclusion of paper x86 devices )