A team of academics from three different universities and two private companies have just discovered a new vulnerability that affects almost every Android device since 2012. The vulnerability is known as RAMpage, and it could be used to gain complete control over the device.
Android ION is a subsystem which manages how memory is allocated, specifically between apps and the operating system. Google introduce this system in Android 4.0 Ice Cream Sandwich to consolidate the memory management system implemented by each system-on-a-chip. At the time, there were three major players: Qualcomm, TI OMAP, and Nvidia.
RAMpage attacks the ION subsystem, eliminating the barrier between apps and the operating system, and provides the attacker full control over all data and the device. Thankfully, the researchers released an open source tool known as GuardION to protect specifically against RAMpage attacks on ION. I'll explain more about GuardION below, but first let's go over RAMpage.
RAMpage is a variation of the Rowhammer attack. Rowhammer is a hardware bug which occurs when an attacker sends multiple read/write requests to the same row of memory cells. This repeated requests create an electrical field that alters the data found in other nearby memory cells.
The first Rowhammer attack was known as DRammer and affected Android devices (both rooted and non-rooted). However, the team of academics learned that this attack could be even more devastating. While DRammer didn't attack the ION subsystem, RAMpage does, potentially providing unprecedented access to your Android device and its data.
According to the researchers, "while apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device." And these secrets can include passwords, personal photos, and more.
While testing was only done on an LG G4, the research teams stated that every smartphone in the last six years is affected. The reason is that the vulnerability exists on LPDDR2, LPDDR3, and LPDDR4 RAM, the RAM used by all smartphones since 2012. As a result, they also believe Apple devices (such as iPhones and iPads), desktops (such as Windows and macOS PCs) and cloud servers may be affected as well. You can read their research paper in its entirety using this link (PDF).
As with most vulnerabilities, Android users have some options, but most of us will ultimately have to wait. Google's aware of the vulnerability (tracked as CVE-2018-9442), so expect a patch in the July monthly security update. Since this information is being released late in June, depending on when Google was made aware of this (often, research will let the company know first before making it public), the monthly patch may come later than usual or as a separate patch.
Unfortunately, with most OEMs having a terrible track record for monthly patches (with the exception of Pixels, Blackberries, the Essential PH-1, and devices in the Android One program), your device might remain vulnerable for some time.
The researchers have released an app that can identify if your device is vulnerable to RAMpage. It isn't available on the Play Store, but you can download the APK using this link.
Finally, there is GuardION, a tool which protects the ION system from RAMpage attacks. You can patch your device with GuardION, but this isn't an easy task. The instructions are advanced and have only been tested on a Pixel running Android 7.1.1 Nougat with a specific kernel. Therefore, it's likely that different devices running different versions of Android are not compatible with GuardION.