The latest variant, RAMpage, works in similar ways. It targets an Android’s universal generic memory management system called ION introduced by Google in 2011 as part of Android 4.0. It’s part of a subsystem used to manage and allocate memory. An attack consists of a write and refresh request on the device’s RAM until it flips a bit in an adjacent row. This opens the door to the device compromise.
The prerequisite for a likely attack is a user installing an unprivileged app capable of carrying out the attack. “We consider an attacker with full control over a zero-permissions holding, unprivileged Android app that is running on the victim’s device,” researchers wrote.
The good news is the researchers have also released a tool called Guardion, a software-based mitigation against rampage attacks. “It prevents an attacker from modifying critical datastructures by carefully enforcing a novel isolation policy,” researchers wrote. “Although Guardion is not deployed in operating systems yet, there are ongoing efforts to realize this. The source code for Guardion is available online in the form of Android kernel patch.” Currently the patch is not widely available and only tested for Google Pixel, running Android 7.1.1 (Nougat).
RAMpage researchers credited for the discovery include Victor van der Veen, Martina Lindorfer, Yanick Fratantonio, Harikrishnan Padmanabha Pillai, Giovanni Vigna, Christopher Kruegel, Herbert Bos, and Kaveh Razavi. Universities include Vrije Universiteit Amsterdam, Amrita University India, UC Santa Barbara and the French graduate school Eurecom.