Samsung is patching a critical security vulnerability that impacts Galaxy phones sold since 2014.
Discovered by Google’s Project Zero, the security flaw is part of how Samsung phones handle a custom image format called ‘Qmage’ (.qmg). Samsung phones began supporting the format in late 2014 and it appears only Samsung modified the Android operating system to support Qmage. In other words, the flaw doesn’t affect other Android devices. The format was developed by South Korean company ‘Quramsoft.’
The vulnerability can be exploited in a ‘zero-click’ scenario. Zero-click vulnerabilities don’t require any user interaction. Further, Project Zero researchers told ZDNet that it’s possible to exploit the flaw without notifying the user.
According to the researchers, attackers could use flaw by sending Qmage files to a Samsung device and exploiting how Android’s graphics library, ‘Skia,’ handles the images. Android redirects all image files sent to a device to the Skia library for processing, which can include generating thumbnail previews. Android does this without users’ knowledge.
Project Zero researchers developed a proof-of-concept demo that exploits the bug against the Samsung Messages app, the default app for handling SMS and MMS communication on Samsung devices. The demo repeatedly sends MMS messages to a phone. These messages attempt to guess the position of the Skia library in Android’s memory, which is necessary to bypass Android’s Address Space Layout Randomization (ASLR) protection. Once the Skia library is located, a final MMS will deliver the Qmage payload, which executes the attacker’s code on the device.
In a video shared by Project Zero researcher Mateusz Jurczyk, you can see the exploit in action. The result is that Jurczyk gains control of the Samsung phone and, for example, is able to launch apps.
However, the process of locating Skia can take between 50 and 300 MMS messages. Researchers said it takes around 100 minutes on average.
Although it may seem like someone would notice hundreds of messages sent over almost two hours, Project Zero says the attack can be modified to send the messages silently without alerting the user.
While Project Zero only tested the exploit against Samsung Messages, researchers note that theoretically, any app running on a Samsung phone capable of receiving a Qmage file could be vulnerable.
Thankfully, Samsung’s May 2020 patch includes a fix for the vulnerability. If you’ve got a Samsung phone, keep an eye out for the May patch and update once it’s available.