Samsung has patched a major 0-click vulnerability (Via ZDNet) that has affected all its devices released since 2014 with its recent May 2020 security patch. The flaw was with how Samsung’s Android skin handles the custom Qmage image format that it started supporting on its devices sold since late 2014.
The bug could be exploited without any user interaction and with a 0-click approach. The security flaw was discovered by security researcher Mateusz Jurczyk who is a part of Google’s Project Zero team. A proof-of-concept developed by the security researcher shows how the flaw could be exploited using Samsung’s default Messages app. In the concept, he sent repeated MMS messages to a Samsung Galaxy Note10+ affected by the flaw. Every message tried to bypass the ASLR protection of Android by trying to guess the position of the Skia library in the device memory. The attacker will need to send anywhere between 50 to 300 MMS messages and around 100 minutes to bypass the ASLR. Once guessed, the final MMS delivered the Qmage payload which executed the attack on the device.
Jurczyk was able to find a way to send MMS messages without triggering the notification sound on the Samsung device, so he says that stealth attacks using this flaw are possible.
Samsung has already rolled out the May 2020 security patch for its major flagship models. The company has also detailed the patch in its May 2020 security update bulletin. It is, however, unclear if the company will roll out the security patch for many of its older devices that have reached the end of their software support including the Galaxy S5, Galaxy S6, Note5, and others.