Samsung fixes serious zero-click vulnerability in all Galaxy smartphones

Samsung has released a patch for a serious leak in all Galaxy smartphones released since 2014. The Android leak made it possible to completely take over a phone via a .qmg file, without user intervention.

The bug has been fixed in the May security update for the Samsung phones. It fixes bug CVE-2020-8899, which is known by Samsung itself as SVE-2020-16747. The vulnerability is classified as ‘critical’.

The vulnerability is in the way Android handles Qmage files. Samsung devices have supported that image file format since 2014. It’s specifically in Android’s Skia library. Android sends all incoming images through the Skia library.

A security researcher at Google’s Project Zero discovered the vulnerability. He also published a proof-of-concept showing how to exploit the leak. This is done by sending several MMS messages to a device. This had to be done several times, because then the Android Address Space Layout Randomization could be circumvented. This puts applications in random places in the memory. Once that extra security measure could be circumvented, malware packaged in an MMS could be executed. This creates a heap-based buffer overflow that can be exploited.

Because incoming images are automatically run through the library with the vulnerability, no user intervention is required before the attack can be executed. However, an attacker must send between fifty and three hundred MMS messages, a process that according to the researcher takes around a hundred minutes. Once on the device it is possible to execute code. Such zero click remote code execution is rare, especially when it can be executed on so many different devices.

The vulnerability has been on all Galaxy devices since 2014. Samsung is the only Android manufacturer that supports .qmg images. The Qmage format comes from the South Korean company Quramsoft. Samsung closed the vulnerability after the security researcher informed the company.