Samsung started releasing the May 2020 security patch to its phones last week. Yesterday, the company detailed what exactly it fixed with the new security update. The latest security patch fixed 9 critical vulnerabilities discovered in Android and 19 vulnerabilities in Samsung's own software. One of those 19 vulnerabilities was a critical bug that plagued all Galaxy phones released since late 2014.
The zero-click security flaw resides in Samsung's custom version of Android and how it handles the custom ‘Qmage' image format (.qmg) that is developed by South Korean company Quramsoft. All Galaxy phones from the South Korean brand started supporting .qmg image files since late 2014, and its implementation had serious vulnerabilities. Qmage files are reportedly used in Samsung Themes.
Zero-click security flaw target's Samsung's implementation of Qmage image format
Mateusz Jurczyk, a security researcher who works with Google's Project Zero bug-hunting team, found the vulnerability. He discovered a way to exploit how Skia (Android's graphics library) in Samsung's phones handles Qmage images sent to the phone. The bug could be exploited in a zero-click scenario, which means that it doesn't need any user interaction.
Android is designed in a way that it redirects all images received by the device to the Skia library, which then processes them to create thumbnails. All of this happens without a user's interaction or knowledge. The researcher sent repeated MMS messages to Samsung's phones in an attempt to guess the position of the Skia library in the device's memory.
Knowing the location of Skia is a necessary step to bypass Android's ASLR (Address Space Layout Randomization) protection. Once Skia's location is known, the last MMS containing a Qmage file is sent to the phone, which then executes the attacker's code on the device.
Apparently, it takes anywhere between 50 and 300 messages to exploit the vulnerability, and it can be accomplished within two hours and without alerting the user. Other apps on the phone that can receive Qmage images can also be used to exploit the critical vulnerability. However, Samsung finally patched the bug (SVE-2020-16747) with the May 2020 security patch last week.
All Galaxy users should install the May 2020 security update as soon as their phones receive it in order to stay protected. The May 2020 security patch has already been released to the Galaxy S20 series, Galaxy Z Flip, Galaxy Fold, Galaxy Note 10, Galaxy S10, and the Galaxy A50.