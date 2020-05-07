Samsung has released a new security update for fixing a critical vulnerability that impacted all its smartphones sold since 2014.

The bug exploited the way in which Android’s graphics library Skia handles Samsung’s custom Qmage image format (.qmg). Mateusz Jurczyk, a security researcher with Google's Project Zero bug-hunting team, discovered the vulnerability in February and reported the issue to Samsung.

What was the bug and how did it work?

Jurczyk noted that the Qmage bug could be exploited in a zero-click scenario, which means there is no need for user interaction. This is possible as Android redirects all images sent to a device to the Skia library for processing without the user’s knowledge.

The security researcher developed a proof-of-concept demo exploiting the bug against the Samsung Messages app. He spammed a Samsung Galaxy Note 10+ running on Android 10 with multiple multimedia SMS, and each such message attempted to determine the position of the Skia library in the device’s phone memory. Once the Skia library was located in the device memory, the last MMS delivers the Qmage payload used for executing the exploit code.

As per Jurczyk, it requires up to 300 MMS messages to probe and bypass the Address Space Layout Randomisation (ASLR), which typically takes around 100 minutes.

What is worse about the bug is that the victim does not get any hint about the attack as it can be executed without triggering the notification sound on an Android smartphone.

In addition to the MMS exploit, Jurczyk states that there could be other possible ways to attack any app running on a Samsung device that supports Qmage and can receive images from a remote attacker.

After being informed in February, Samsung has fixed the vulnerability in its May 2020 security patch. The bug can be tracked as SVE-2020-16747 in Samsung’s security bulletin and CVE-2020-8899 in the Mitre CVE database.

It is presumed that other smartphones have not been affected by the bug as only Samsung appears to have modified the Android OS to support the custom Qmage format that it has been using on its smartphones since 2014.