Threat Intelligence

November 1, 2016

min read

DirtyCow and Drammer Vulnerabilities | Android Threats

Two especially critical flaws that  allow an attacker to root or completely compromise a device have just been added to the litany of vulns on Android devices. The vulnerabilities are known colloquially as DirtyCow (CVE-2016-5195) and Drammer (CVE-2016-6728). While they are unrelated, they both represent a real risk to Android users as individuals have already published proof-of-concept exploit code online for both vulnerabilities, thus minimizing the time attackers would need  to understand and develop their own exploits from scratch. Additionally, industry researchers have already seen attackers using DirtyCow  to exploit Linux-based systems in the wild. Given that the CVEs and the POC code are publicly available, enterprises should see this as a concern. If an attacker roots a device, she has full control over it, which means she may also be able to collect sensitive data from the device. If the victim is an employee, that may mean company information is being leaked. Having visibility into the kinds of apps, rooted devices, or outdated software running on the corporate network is critical.DirtyCowThe first vulnerability, called DirtyCow has likely been actively used in the wild to attack some Linux systems.  Security researcher Phil Oester discovered the vulnerability, which is a race condition in the copy-on-write (COW) mechanism within the the Linux kernel’s memory subsystem. It essentially allows a user to write to files that are marked as “read-only” for that user. This means an attacker can use a malicious app or other mechanism to write data to files the sandbox is meant to protect, thus leading to a privilege escalation and possibly to completely root the device and take it over. The vulnerability extends back nine years and affects all versions of Android including the latest Android 7.0 Nougat. While Linus Torvalds created and released a patch for the Linux Kernel – which Android uses – the patch has not been released as a security update for Android users yet. DirtyCow is an easy vulnerability to understand and proof-of-concept exploit code is already in the wild, available to researchers and attackers alike. . We expect to to see this issue patched in the November 2016 Android Security Update at the earliest.


The second vulnerability, called Drammer and discovered by VUSec, is the first time the Rowhammer vulnerability has been applied to ARM-based devices, in this case Android devices. Drammer is a hardware bug that can manipulate memory it doesn’t control by reading or “hammering” a row in memory to effectively induce another spot in memory to have its bit “flip” or change value. If an attacker does this hammering enough times, he or she can control which space in memory it points to so that a device can eventually be compromised and rooted. Drammer likely works on all versions of Android including the latest, but the mileage may vary.


Google has developed a mitigation that will be included in their November security bulletin. They have banned the Drammer POC app from the Google Play Store. Lookout customers are protected from this test app. Our investigation revealed that the banned POC app published by the academic researchers is not overtly malicious, but it does exploit the vulnerability and has been observed to cause local denial-of-service on failed exploit attempts. Enterprises should use a mobile security partner to gain awareness into the apps running on their employees’ devices and to receive timely alerts when one of those apps is risky or malicious. Android users are encouraged to update their devices as soon as their carrier or manufacturer issues a patch.