With the May 2020 Android security patch, Samsung has fixed a critical zero-click vulnerability that impacted all its smartphones sold since 2014. The security flaw exploited how the company's Android skin handles the 'Qmage' image format (.qmg).
Qmage is a custom image format developed by South Korean company Quramsoft. Samsung started supporting .qmg files in its Galaxy smartphones since 2014. The company reportedly uses them in Samsung Themes.
However, that implementation apparently had serious vulnerabilities. Mateusz Jurczyk, a security researcher working with Google's Project Zero bug-hunting team, recently discovered a way to exploit it (via ZDNet).
The vulnerability exploits how Skia (Android's graphics library) handles .qmg images sent to a Samsung smartphone. The bug can be exploited in a zero-click scenario, which means it doesn’t need any user interaction.
Samsung fixes the zero-click vulnerability with May 2020 update
The Android OS redirects all images received by the device to the Skia library for processing and generating thumbnail previews. This happens without a user’s knowledge.
Jurczyk could exploit the bug by sending repeated MMS messages to Samsung phones. Since those images are redirected to the Skia library, he could guess the position of the library in the device’s memory.
Knowing the location of the Skia library means he could then bypass Android’s ASLR (Address Space Layout Randomization) protection. Once the library was located, one more MMS containing a Qmage file is sent to the phone. This file would then execute the attacker's code on the device.
Jurczyk says it takes anywhere between 50 and 300 MMS messages to exploit this vulnerability. The process takes about 100 minutes on average. The bug can be exploited through any app that can receive Qmage images, including Samsung's Messages app.
The researcher could even get MMS messages fully processed by the Skia library without triggering a notification sound. So fully stealth attacks are very much possible.
Jurczyk discovered and reported the vulnerability to Samsung in February. The South Korean company eventually patched it with the May 2020 Android security update.
The May security maintenance release for Samsung smartphones also contains fixes for 18 other Samsung Vulnerabilities and Exposures (SVE), the vulnerabilities that are exclusive to Samsung's custom Android skin. In addition, it also fixes nine critical and dozens of high and moderate-risk Android OS vulnerabilities.
Samsung started rolling out the May 2020 Android security update last week. The update has so far been released for the Galaxy S20, Galaxy Fold, Galaxy Note 10, Galaxy S10, Galaxy Z Flip, and the Galaxy A50 phones. It should also be available to other eligible Galaxy smartphones in the coming weeks.