Samsung Finally Patches the 0-Click Vulnerability

May 7, 2020
Submit

Samsung has come a long way ever since they stepped into the Android grounds. They did have a rocky start as far as software is concerned mainly because of delayed updates, unstable software, and other such issues. However, as far as software is concerned at the time of writing, Samsung is at a much, much better stage. As a matter of fact, we talked about how buying a Samsung phone at this time makes the most sense for anyone who wants to buy an Android device.

With that said, not everything is good, however. For those who do not know, back in 2014, a critical vulnerability was found. This vulnerability has impacted all the smartphones that were released in 2014 and onwards.

Google Pixel 4a 5G Official with Snapdragon 765G, 6GB RAM, and 128GB Storage

Samsung Has Released a Patch That Patches the 0-Click Vulnerability

The security flaw pertained to how Samsung handles the custom Qmage image format (.qmg). Samsung smartphones started using this format back in 2014. A researcher on Google's Project Zero bug-hunting team Mateusz Jurczyk, found out a way that will let one exploit the Android graphics library called Skia and how it handles all the Qmages that are sent to the device.

As per Jurczyk, the bug can be exploited in a zero-click scenario. This also means that the user does not need to interact with the device at all. The reason why it happens is that Android sends all the images that are sent to the device to the Skia library for processing; the processing means generating thumbnail previews and other similar tasks -- this happens without user's knowledge.

The researched created a proof-of-concept demo that exploited the bug against Samsung's messaging app. All the Samsung devices that were capable of handling SMS and MMS were prone to this exploit.

According to Jurczyk, the bug was exploited by sending repeated MMS messages to a Samsung device. Each message then attempted to guess the position of the Skia library in the phone's memory, this is considered as a necessary step to bypass Android's ASLR (Address Space Layout Randomization) protection.

Jurczyk continued and talked about how once the library was located in the memory, the last MMS is responsible for delivering the Qmage payload, which will then result in the attacker's code being executed.

Galaxy S21 Ultra Battery Capacity Leak Gets Highlighted Thanks to Fresh 3C Certification

Below is a video showing this in action.

As per Jurczyk, the attack needs anywhere from 50 to 300 MMS messages before they can bypass the ASLR protection. Moving further, he also talked about how it can be modified in such a way that the user will not be alerted. Which means that a full-fledged attack can be initiated without triggering the notification sounds.

Jurczyk also talked about how he did not test the exploitation process through other methods. However, this exploitation is entirely possible on any app that is running on a Samsung device and is capable of Qmage images from a remote attacker.

Thankfully, Samsung has patched this vulnerability in the latest May 2020 security update. The issue is tracked as SVE-2020-16747 in Samsung's security bulletin and CVE-2020-8899 in the Mitre CVE database.

At the time of writing, smartphones from other manufacturers have not been impacted as Samsung appears to be the only one using the custom Qmage image format.

Source

Submit