RAMpage: Nearly every Android device released since 2012 likely impacted by new vulnerability

• RAMpage specifically targets Android memory subsystem called ION.
• The vulnerability is a new iteration of the Rowhammer attack.
• RAMpage could also provide hackers total device control of Apple devices and regular PCs as well.

Security researchers have uncovered a new vulnerability that impacts almost every Android device manufactured since 2012. RAMpage is a new version of the Rowhammer attack, which is a hardware bug that affects memory cards. Researchers found that RAMpage can be executed either via JavaScript, code, GPUs cards or network packets.

Modus operandi

RAMpage works on both Android phones and tablets and could also affect Apple devices, virtual machines and regular computers. The vulnerability allows attackers to exploit a critical vulnerability in modern phones, which can essentially allow any app to gain unauthorized access to a device.

“While apps are typically not permitted to read data from other apps, a malicious program can craft a rampage exploit to get administrative control and get hold of secrets stored in the device,” the research team, which included eight academics from three universities and two private companies, said in a website, which details their findings.

The vulnerability can allow hackers to exfiltrate information such as passwords stored in a browser or password manager, emails, photos, instant messages and business documents.

Total device control

Unlike the previous Drammer Rowhammer attacks on Android devices, the RAMpage vulnerability targets Android’s ION memory subsytstems which is a part of the operating system (OS) that manages the memory allocations between apps and the OS.

The vulnerability gives hackers the ability to breach the barrier between the Android OS and apps by attacking ION with a Rowhammer-style attack. In other words, RAMpage allows hackers to gain full control over a vulnerable device and all data stored within it.

“Rampage breaks the most fundamental isolation between user applications and the operating system. This attack allows an app to take full administrative control over the device,” the researchers said.

“More technically, every mobile device that is shipped with LPDDR2, LPDDR3, or LPDDR4 memory is potentially affected, which is effectively every mobile phone since 2012,” the researchers added. “We successfully tested rampage on an LG G4. At the moment, it is unclear whether desktop operating systems are also affected, but this seems very likely.”

No fix for the RAMpage

Researchers are still unsure about whether RAMpage has already been exploited in the wild. Unfortunately, no patches have been deployed against RAMpage yet.

Meanwhile, a staggering number of devices may currently be potentially vulnerable to RAMpage attacks.

The researchers who uncovered RAMpage have developed a tool called GuardION which has been designed to act as a guard on vulnerable systems, effectively blocking RAMpage attacks. The team has also created a test app that reveals whether a device is vulnerable to the bug.

“It is currently unclear how widespread the Rowhammer bug (the hardware error that rampage exploits) is. By getting more people to run our updated drammer test app, we hope to get a better understanding of this issue, allowing us to make decisions on how to move forward (i.e., should we continue looking for defenses or is this an already-solved problem?)”

The researchers who uncovered the RAMpage vulnerability and its attack methods include Victor van der Veen, Herbert Bos and Kaveh Razavi from the Vrije Universiteit Amsterdam, Harikrishnan Padmanabha Pillai from Amrita University India, Martina Lindorfer, Giovanni Vigna and Christopher Kruegel from UC Santa Barbara and Yanick Fratantonio from EURECOM.