Samsung has patched a zero click vulnerability affecting all of its smartphones sold since 2014. The South Korean giant released a security patch this week that brings a critical fix for its devices. The security flaw was first brought to light by a security researcher with Google’s Project Zero team. The flaw resides in how Samsung’s version of Android OS handles the custom Qmage image format (.qmg). Samsung started supporting this custom image format on all devices released since late 2014.
Mateusz Jurczyk, a security researcher with Google’s Project Zero team, discovered a way to exploit the vulnerability. The vulnerability exploits how Skia (the Android graphics library) handles Qmage images sent to a device. Jurczyk says the Qmage bug can be exploited without user interaction leading to a zero-click scenario. This happens because Android redirects all images sent to a device to the Skia library for processing without a user’s knowledge.
Samsung fixes a critical bug
According to ZDNet, the researcher developed a proof-of-concept demo exploiting the bug against the Samsung Messages app. The app included on all Samsung devices, is responsible for handling SMS and MMS messages. The researcher exploited the bug by sending repeated MMS messages to a Samsung device. Each message attempts to guess the position of the Skia library in the Android phone’s memory. This is a necessary operation to bypass Android’s ASLR (Address Space Layout Randomization) protection.
Jurczyk further notes that once the Skia library is located in memory, a last MMS delivers the actual Qmage payload. It then executes the attacker’s code on a device. The researcher also notes that the attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR. In other words, it will take around 100 minutes to execute the attack. While it might look noisy and time consuming, the researcher adds that it can be done without alerting the user.
“I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible,” the Google researcher told ZDNet. The researcher reportedly discovered the bug in February and reported the same to Samsung. The company has now patched the bug with the release of May 2020 security updates. The bug is tracked as SVE-2020-16747 in the Samsung security bulletin. In the Mitre CVE database, the bug is tracked as CVE-2020-8899. Other smartphones don’t seem to be impacted by this Qmage image format bug.