RAMpage: The Latest Rowhammer-esque Android Vulnerability

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

On June 28th, a group of eight academics across three different universities released a research paper outlining a new Android vulnerability called “RAMpage”.  It’s a variation of previous attacks that use the Rowhammer hardware vulnerability to run malicious code by changing what’s stored in a device’s memory (RAM) and has the potential of data loss and to allow unauthorized access.

According to the researchers, malware exploiting RAMpage could potentially access “your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

What follows is a brief description of the vulnerability (as it is known today), and then a description of how zIPS (powered by the most effective and complete mobile machine learning engine in the world, z9) provides protection. The end result is that zIPS users are safe without any updates.

Preliminary RAMpage Analysis

While researchers have released details needed for a very skilled adversary to recreate the attack,  an actual proof-of-concept that exploits the vulnerability has not been released. However, our team has analyzed the available information and agree that it appears to be utilizing the well known Rowhammer vulnerability by bypassing previous mitigations put in place.

Like Rowhammer, “RAMpage breaks the isolation between user applications and the operating system. While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.”

In order for the theoretical attack to occur, a user would need to install a malicious app that uses the RAMpage attack, most likely through sideloading or another means outside Google Play such as chained together with a separate exploit.

RAMpage targets the ION subsystem in Android which is a memory allocation driver that was first launched by Google in Android 4.0 Ice Cream Sandwich. Android phones released during or after 2012 are vulnerable. Through the use of ION, the researchers were able to resurrect an attack similar to that of the previous Rowhammer attack, “Drammer”.

Google: Not Aware of Any Exploit

For its part, Google released the following statement: “We have worked closely with the team from Vrije Universiteit, and though this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.”

How Zimperium Will Help Combat RAMpage / Rowhammer

Zimperium zIPS, powered by z9, has many advantages. One of which is Zimperium’s full “Kill Chain” detection, wherein z9 detects attacks at multiple steps, without any updating or signatures. In the RAMpage/Rowhammer case, z9 will detect any malware and privilege escalation attempts that are attempting to exploit the vulnerability, and prevent them via customer-defined policy enforcement.

For more information about Zimperium or our offerings, please visit us at www.zimperium.com or request a live demo here.

The post RAMpage: The Latest Rowhammer-esque Android Vulnerability appeared first on Zimperium Mobile Security Blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About Zimperium
Zimperium, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors - Device, Network and Applications. Zimperium’s patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps. Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at www.zimperium.com or our official blog at https://blog.zimperium.com.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?