Nearly all Android devices sold since 2012, are vulnerable to a new attack called RAMpage. The attack is a variant on the infamous Rowhammer attack and makes it possible for a malicious app to get full control over the device, without requiring any permissions.
Rowhammer is based on an unintended side effect in modern memory modules. The attack works by creating software that ‘hammers’ a row of memory cells through numerous read and write operations. Due to the high density of cells in modern memory chips, the continuous reading and writing unintentionally affects nearby cells and causes so-called bit flips. The bit flips make it possible to modify data in memory that should normally never be accessible to the software. Ultimately this makes it possible to bypass security measures of e.g. the operating system. Rowhammer proof of concept code exists that demonstrates how a regular Linux process can obtain kernel privileges.
The RAMpage attack (PDF) is different from Rowhammer because it specifically targets the Android memory system. By performing a Rowhammer attack on Android’s memory system, the security layer between the operating system and apps is bypassed, which makes it possible for an attacker to obtain full control over the device.
All Android devices with LPDDR2, LPDDR3 or LPDDR4 memory modules are at risk, which are pretty much all Android devices since 2012. The security researchers who discovered RAMpage warn that unpatched Android devices with the affected memory modules should no longer be used for working with sensitive data such as confidential emails or private photos.
There are currently no updates for Android that protect against the RAMpage attack. However, the security researchers who discovered RAMpage, have released the source code of a free tool called GuardION that offers protection against the attack.
They’ve also made a free app available that can check whether a device is vulnerable to the RAMpage attack.