All Samsung Galaxy Phones Since 2014 Are Vulnerable To This Zero-Click Exploit, Patch Now
If you own a Samsung Galaxy handset that was released in the past six years, do yourself a solid and check for an over-the-air (OTA) software update. Left unpatched, every Galaxy phone dating back to 2014 is vulnerable to a so-called 'zero-click' bug related to Android's handling of the custom Qmage image format (.QMG).
That means millions of Galaxy phones are affected by this, until patched with the latest security update from Samsung. Not to be overlooked, the vulnerability carries the highest 'Critical' rating, and could allow an attacker to run malicious code remotely. Part of the reason for the high severity rating is because vulnerable handsets can be exploited without any user interaction.
Google's Project Zero team discovered the flaw and reported the issue to Samsung in January. It has been addressed in Samsung's May 2020 Security Bulletin, along with a bunch of other security issues. Mateusz Jurczyk, one of the security researchers with Project Zero, uploaded a proof-of-concept video to demonstrate the vulnerability. Have a watch...
Samsung starting reporting the Qmage image format in the latter part of 2014, and it's been present ever since. What makes it a zero-click bug (i.e., does not require any interaction from the victim) is that when images are sent to a device, Android hands them over to the Skia library to be processed, for things like creating thumbnail images, and it happens behind the scenes.
Left unpatched, and attacker could ping a target handset with multiple multimedia SMS (MMS) messages in repeated attempts to guess where the Skia library resides in a phone's built-in memory. Once that is determined, the attacker could send malicious code under the guise (to the phone) of a Qmage image.
Jurczyk told ZDNet this typically entails between 50 and 300 MMS messages to discern the location and ultimately sidestep Android's ASLR (Address Space Layout Randomization) protection. And even though a high number of messages would usually trigger suspicion, they can be stealthily sent and processed by the target phone without any notifications.
Fortunately, Samsung was relatively quick to roll out a fix after being alerted to the flaw. So again, if you own a Galaxy handset—either a recent one or dating all the way back to something like the Galaxy Note 4 or Galaxy Note Edge (both released in late 2014)—then head over into your device's settings and manually check for an update.