RAMpage logo

Almost all Android devices released since 2012 are vulnerable to a new vulnerability named RAMpage, an international team of academics has revealed today.

The vulnerability, tracked as CVE-2018-9442, is a variation of the Rowhammer attack.

Rowhammer is a hardware bug in modern memory cards. A few years back researchers discovered that when someone would send repeated write/read requests to the same row of memory cells, the write/read operations would create an electrical field that would alter data stored on nearby memory.

In the following years, researchers discovered that Rowhammer-like attacks affected personal computers, virtual machines, and Android devices. Through further researcher, they also found they could execute Rowhammer attacks via JavaScript code, GPU cards, and network packets.

RAMpage is the latest Rowhammer attack variation

The first Rowhammer attack on Android devices was named DRammer, and it could modify data on Android devices and root Android smartphones. Today, researchers expanded on that initial work.

According to a research paper published today, a team of eight academics from three universities and two private companies revealed a new Rowhammer-like attack on Android devices named RAMpage.

"RAMpage breaks the most fundamental isolation between user applications and the operating system," researchers said. "While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device."

"This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents," the research team said.

RAMpage may also impact Apple devices, PCs, and VMs

Research into the RAMpage vulnerability is still in its early stages, but the team says the attack can take over Android-based smartphones and tablets.

The researcher team also believes RAMpage may also affect Apple devices, home computers, or even cloud servers.

Researchers say they've updated a previous app they used in the past to detected Drammer to also identify if a device is vulnerable to RAMpage. The app is not available on the Play Store and must be downloaded from here, and later side-loaded.

RAMpage targets Android's ION subsystem

The difference between the previous Drammer Rowhammer attack on Android devices and the newer RAMpage Rowhammer attack is that RAMpage specifically targets an Android memory subsystem called ION.

In a simplified explanation, ION is a part of the Android OS that manages memory allocations between apps and for the OS. Google introduced ION in Android 4.0 (Ice Cream Sandwich) released on October 18, 2011.

By attacking ION with a Rowhammer attack, RAMpage allows intruders to breake the boundaries that exist between Android apps and the underlying OS, hence give an attacker full control over the device and its data.

Researchers released a tool called GuardION that they say, in layman terms, puts up "guards" in front of the ION subsystem to protect it against RAMpage's attack routine. The tool has been open-sourced on GitHub.

Every Android device released in the past 6 years is affected

While researchers reproduced a RAMpage attack only on an LG4 smartphone, they said that "every mobile device that is shipped with LPDDR2, LPDDR3, or LPDDR4 memory is potentially affected, which is effectively every mobile phone since 2012."

The research team also published a website detailing their findings. Although the website is a visual copy of the website used for the Meltdown and Spectre vulnerabilities, researchers said there's no resemblance between Meltdown/Spectre and RAMpage. This is because Meltdown and Spectre go after data stored inside CPU caches while RAMpage goes after data stored inside RAM cards.

"[We] hope that this page gets more people involved in contributing to research," the research team wrote on this site. "It is currently unclear how widespread the Rowhammer bug (the hardware error that rampage exploits) is."

"By getting more people to run our updated Drammer test app, we hope to get a better understanding of this issue, allowing us to make decisions on how to move forward (i.e., should we continue looking for defenses or is this an already-solved problem?)."

Related Articles:

Microsoft Releases New Office Update for Android With New Features

Russia Runs Incomplete, Slow, Sloppy Vulnerability Database

New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed

Microsoft Edge Beta for Android Updated With New Features

Hamas Lures Israeli Soldiers to Malware Disguised in World Cup and Dating Apps