RAMpage attack on android devices

An attack on Android phones that can change what is stored in the Random Access Memory (RAM) inside a handset, can ultimately lead a hacker to gain control of the device. This attack, called RAMpage for obvious reasons, can theoretically grab passwords stored in a password manager, emails, photos, and documents stored on the unit. It is the subject of a research paper released today from three universities in India, Amsterdam and UC Santa Barbara.

RAMpage is an attack based on the Rowhammer bug that takes advantage of the tightly packed circuitry inside a RAM chip. By electrically attacking one part of a RAM chip, memory cells leak and interfere with other memory cells. Keep in mind that this is not necessarily a flaw, but is a "side effect" of RAM. While some leakage between rows of memory cells is normal, and the RAM chip able to recover, a hacker who attacks the same row repeatedly can flip the bits inside the cells, which use a binary system. The flip, from "0" to "1" or from "1" to "0" will alter the data stored in RAM.

RAMpage can be unleashed on Android devices using LPDDR2, LPDDR3 and LPDDR4 RAM. That means that any Android phone produced in 2012 or later is vulnerable. This is obviously a complicated attack, and while Android devices are currently the target at the moment, eventually iOS devices could be in the crosshairs.

Researchers explain three following steps to achieve Drammer-like exploitation using RAMpage r0 variant:

1.) Exhausting the system heap—Researchers found that if an application intentionally drains all ION's internal pools, the buddy allocator, another memory allocation algorithm, takes charge of the allocation process as a fallback.

Since the primary purpose of buddy allocator is to minimize memory fragmentation, it eventually offers contiguous page allocations.

To increase the possibility of the exploitation, an attacker can further also bypass the zone separation mechanism used by the system heap. To forcefully land its memory page into lowmem allocations, where pages of kernel reside, the attacker continually allocates memory until no highmem is left.

"Once this is the case, the kernel serves subsequent requests from lowmem, allowing us to find bit flips in physical memory that may later hold a page table." researchers said.

2.) Shrinking the cache pool—Further, using Flip Feng Shui exploitation vector, attackers can trick the kernel into storing a page table in the vulnerable page.

3.) Rooting a mobile device—Implementing above two steps, tricks the operating system into landing targeted memory page very adjacent to the attacker-owned page, and then all the attacker needs to do is implementing the remaining steps of DMA-based rowhammer attack to find exploitable chunks and develop a root exploit.