Mobile Security & Enterprise Mobility Blog

RAMpage: The Latest Rowhammer-esque Android Vulnerability

On June 28th, a group of eight academics across three different universities released a research paper outlining a new Android vulnerability called “RAMpage”.  It’s a variation of previous attacks that use the Rowhammer hardware vulnerability to run malicious code by changing what’s stored in a device’s memory (RAM) and has the potential of data loss and to allow unauthorized access.

According to the researchers, malware exploiting RAMpage could potentially access “your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

What follows is a brief description of the vulnerability (as it is known today), and then a description of how zIPS (powered by the most effective and complete mobile machine learning engine in the world, z9) provides protection. The end result is that zIPS users are safe without any updates.

Preliminary RAMpage Analysis

While researchers have released details needed for a very skilled adversary to recreate the attack,  an actual proof-of-concept that exploits the vulnerability has not been released. However, our team has analyzed the available information and agree that it appears to be utilizing the well known Rowhammer vulnerability by bypassing previous mitigations put in place.

Like Rowhammer, “RAMpage breaks the isolation between user applications and the operating system. While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.”

In order for the theoretical attack to occur, a user would need to install a malicious app that uses the RAMpage attack, most likely through sideloading or another means outside Google Play such as chained together with a separate exploit.

RAMpage targets the ION subsystem in Android which is a memory allocation driver that was first launched by Google in Android 4.0 Ice Cream Sandwich. Android phones released during or after 2012 are vulnerable. Through the use of ION, the researchers were able to resurrect an attack similar to that of the previous Rowhammer attack, “Drammer”.

Google: Not Aware of Any Exploit

For its part, Google released the following statement: “We have worked closely with the team from Vrije Universiteit, and though this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.”

How Zimperium Will Help Combat RAMpage / Rowhammer

Zimperium zIPS, powered by z9, has many advantages. One of which is Zimperium’s full “Kill Chain” detection, wherein z9 detects attacks at multiple steps, without any updating or signatures. In the RAMpage/Rowhammer case, z9 will detect any malware and privilege escalation attempts that are attempting to exploit the vulnerability, and prevent them via customer-defined policy enforcement.

For more information about Zimperium or our offerings, please visit us at www.zimperium.com or request a live demo here.