RAMpage Vulnerability Leaves Android Phones Open To Rowhammer-Like Root Hack
A team of researchers has discovered a vulnerability in Android that was thought to be already patched by Google, but is theoretically able to bypass current mitigations and gain unauthorized access to handsets and tablets. Called RAMpage, it's utilizes variations of the Rowhammer attack method that Google's security engineers discovered and fixed two years ago.
"Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector...[Now] we present rampage, a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses," the researchers wrote in a white paper (PDF).
RAMpage attacks work by altering data stored in memory chips in a malicious way. These types of exploits (and their variations) are dubbed Rowhammer because they 'hammer' internal rows of memory cells where individual bits are stored, hitting them thousands of times each second. This causes the bits to flip from one state to another (0 to 1 and 1 to 0) and become corrupt.
Back in 2016, Google's Project Zero team demonstrated how it would be possible to leverage this method to gain control of PCs. Later on, researchers found it could also be applied to Android devices, allowing an attacker to gain root access. This was all supposedly fixed back then.
Now researchers claim to have discovered that RAMpage is able to dodge current security measures against Rowhammer, leaving Android handsets at risk once again. "RAMpage breaks the most fundamental isolation between user applications and the operating system. This attack allows an app to take full administrative control over the device," the researchers warn.
According to the researchers, Android devices that use LPDDR2, LPDDR3, or LPDDR4 memory is potentially affected by this. That essentially covers every Android device shipped since 2012. While that sounds concerning, Google disagrees with the practical severity of RAMpage.
"We have worked closely with the team from Vrije Universiteit, and though this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices," Google told Arstechnica.
Google also said that many newer Android handsets use memory with specific protections built-in against Rowhammer-type attacks. However, the researchers claim to have successfully tested RAMpage on an LG G4 handset. They've also developed a patch that they hope will be deployed to Android.