A security researcher from Google Project Zero, Mateusz Jurczyk had discovered a critical 0-click vulnerability leads to Remote Code Execution impacting all the Samsung smartphones since 2014.
The security flaw resides in how the Android OS flavour running on Samsung devices handle the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.
This is bug categorised with the high severity as the exploitation of the bug doesn't need users interaction. This bug works because Android redirects all images sent to a device to the Skia library for processing such as generating thumbnail previews without a user's knowledge.
For demo and PoC, researchers showed the exploitation of the bug on Samsung latest flagship Galaxy Note 10+. The researcher performs the PoC against the Samsung Messages app, included on all Samsung devices and responsible for handling SMS and MMS messages.
He exploited the bug by sending repeated MMS messages to a Samsung device. Each message attempted to guess the
position of the Skia library in the Android phone's memory, a necessary
the operation to bypass Android's ASLR (Address Space Layout Randomization)
protection.
Furthermore, once the Skia library was located in memory, the last MMS delivers the actual Qmage payload, which then executed the attacker's code on a device.
The attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR, which usually take some time.
As the attack is on messaging app, so there will be notification of MMS on target devices, which can be spammy. But for this Jurczyk says -
The bug is tracked as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database.
The security flaw resides in how the Android OS flavour running on Samsung devices handle the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.
This is bug categorised with the high severity as the exploitation of the bug doesn't need users interaction. This bug works because Android redirects all images sent to a device to the Skia library for processing such as generating thumbnail previews without a user's knowledge.
For demo and PoC, researchers showed the exploitation of the bug on Samsung latest flagship Galaxy Note 10+. The researcher performs the PoC against the Samsung Messages app, included on all Samsung devices and responsible for handling SMS and MMS messages.
Furthermore, once the Skia library was located in memory, the last MMS delivers the actual Qmage payload, which then executed the attacker's code on a device.
The attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR, which usually take some time.
As the attack is on messaging app, so there will be notification of MMS on target devices, which can be spammy. But for this Jurczyk says -
"I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible,"The researcher had reported the vulnerability to the Samsung team on February and in response, the fix has been done, which will be pushed in May security updates. So if you are using Samsung devices, it is highly recommended to check for updates under Setting →About section.
The bug is tracked as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database.