A team of researchers from several universities and private companies has developed a new attack that breaks a fundamental security layer in Android and affects the majority of mobile devices released over the past six years.
Dubbed Rampage, the attack allows malicious applications to break out of their sandbox and access the entire operating system. This includes accessing the data stored by other applications, which the Android security model is meant to prevent.
“While apps are typically not permitted to read data from other apps, a malicious program can craft a rampage exploit to get administrative control and get hold of secrets stored in the device,” the researchers said on a website set up to present the attack. “This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
Rampage is the latest attack to exploit Rowhammer, a vulnerability disclosed in 2014 that stems from the design of modern DRAM memory, which uses densely packed cells. At the time, researchers discovered that by aggressively “hammering” memory rows with read and write operations they can cause memory cells to leak their electrical charge and flip bits in adjacent rows.
If this is done in a controlled manner, it can have serious consequences such as enabling privilege escalation—the targeted cells whose bits are flipped might store the memory of privileged processes or the kernel.
In fact, an exploit dubbed Drammer that was published in 2016 has already proven that attackers can gain root on Android devices through a Rowhammer exploit. Google has since made changes in the Android memory management to mitigate that attack.
The new Rampage exploit, tracked as CVE-2018-9442, was devised by many of the same researchers who developed Drammer and is a continuation of that work. However, the new variant targets the ION memory allocator first introduced in Android 4.0 in a way that bypasses the mitigations added by Google to prevent Drammer.
The researchers tested their Rampage proof-of-concept exploit successfully on an LG G4 device, but they believe that “every mobile device that is shipped with LPDDR2, LPDDR3, or LPDDR4 memory is potentially affected, which is effectively every mobile phone since 2012.
“At the moment, it is unclear whether desktop operating systems are also affected, but this seems very likely,” the researchers added. It is also not unlikely that Apple’s iOS devices are also affected by similar attacks, they said.
Rampage exploits are not easy to detect by existing Android anti-malware programs because they’re not that different in behavior or content from benign applications. However, once such an exploit becomes known it might be possible to detect it by binary comparison.
The good news is that the research team didn’t just create a critical attack affecting most Android devices, but also developed a prototype defense mechanism dubbed Guardion that could block all DMA-based Rowhammer exploits on mobile devices, including Drammer and Rampage. Its implementation has been released as open-source code on GitHub.
Guardion is a “lightweight defense that prevents DMA-based attacks—the main attack vector on mobile devices—by isolating DMA buffers with guard rows,” the researchers said in a paper published along with the website. “We evaluate guardion on 22 benchmark apps and show that it has a negligible memory overhead (2.2 MB on average). We further show that we can improve system performance by re-enabling higher order allocations after Google disabled these as a reaction to previous attacks.”
The research team behind Rampage and Guardion is made up of Victor van der Veen, Herbert Bos and Kaveh Razavi from Vrije Universiteit Amsterdam; Giovanni Vigna and Christopher Kruegel from UC Santa Barbara; Martina Lindorfer from TU Wien; Yanick Fratantonio from EURECOM and Harikrishnan Padmanabha Pillai from IBM.
The researchers have also developed an open source application that can test whether an Android device is vulnerable to Rampage. However, the app is not available on Google Play and needs to be downloaded manually from the website and side-loaded, which requires enabling “Unknown Sources” in Android’s settings.