RAMpage Vulnerability Affects Every Android Device Since 2012A team of academics from three different universities and two private companies have just discovered a new vulnerability that affects almost every Android device since 2012. The RAMpage Vulnerability could be used to gain complete control over the device.
Android ION is a subsystem which manages how memory is allocated, specifically between apps and the operating system. Google introduced this system in Android 4.0 Ice Cream Sandwich to consolidate the memory management system implemented by each system-on-a-chip.
RAMpage Vulnerability attacks the ION subsystem, eliminating the barrier between apps and the operating system and providing the attacker full control over all data and the device.
What Is RAMpage Vulnerability
Rampage is a variation of the Rowhammer attack. Rowhammer is a hardware bug which occurs when an attacker sends multiple read/write requests to the same row of memory cells. These repeated requests create an electrical field that alters the data found in other nearby memory cells.
According to the researchers, "while apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device." These secrets can include passwords, personal photos, and more.
While testing was only done on an LG G4, the research teams stated that every mobile phone in the last six years has been affected. The reason is that the vulnerability exists on LPDDR2, LPDDR3, and LPDDR4 RAM, the RAM used by all mobile phones since 2012.
Does RAMpage Vulnerability affect Windows or Apple products?
Maybe. The researchers aren't very clear on the issue but claim that RAMpage vulnerability could affect iOS, macOS, Windows PCs, and even cloud servers. You can read their research paper in its entirety using this link (PDF).
What Can You Do against RAMpage Vulnerability?
Android users have some options, as with most vulnerabilities, but most of us will ultimately have to wait. Google is aware of the vulnerability (tracked as CVE-2018-9442), so expect a patch in the July monthly security update. Since this information is being released late in June, depending on when Google was made aware of this (often, research will let the company know first before making it public), the monthly patch may come later than usual or as a separate patch.
Unfortunately, with most OEMs having a terrible track record for monthly patches (except for Pixels, Blackberries, the Essential PH-1, and devices in the Android One program), your device might remain vulnerable for some time. For those of us on older devices, I use an LG G4, and no patches or updates will be issued.
The researchers have released an app that can identify if your device is vulnerable to RAM. It isn't available on the Play Store, but you can download the APK using this link, which you will have to sideload through an SD card.
Google has recognized this flaw (CVE-2018-9442). Yet, they do not recognize it as important as the researchers believe. On June 29, Google issued the following statement regarding the page:
We have worked closely with the team from Vrije Universiteit. Though this vulnerability isn't a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are unaware of any exploit against Android devices.
In general, be cautious of the apps you install on your device and the websites you visit. The attack can be executed via JavaScript code, graphics cards, and network packets, making both apps and websites potential targets to initiate this attack. And as soon as the monthly security update reaches your device, apply the patch. As for desktop and Apple users, expect a patch within a few days.
