Samsung Mobile Phones Found to Have Zero-Click Vulnerability

A zero-click vulnerability in Samsung mobile phones, on exploitation, can enable threat actors to have access to all the privileges and permissions connected to Samsung Messenger. No interaction by the user would be necessary.

What is happening

This vulnerability exists only in Samsung phones running Android 4.4.4 or higher. Although this class of vulnerabilities were first discovered in late-2014, it is still being actively developed. This vulnerability has been listed as SVE-2020-16747. It is a memory corruption issue in Qmage image codec built into Skia.

The wider view

  • This vulnerability has been discovered by Mateusz Jurczyk of Google Project Zero.
  • This vulnerability enables hackers to take advantage of the Skia library.
  • After locating the library, a multimedia message is sent with a Qmage file. This can attack the phone with malicious code.
  • Since this is a zero-click attack, users would be immediately affected.

What the experts are saying

  • Jurczyk stated, “the default Samsung Messages app processes the contents of incoming MMS messages without any user interaction, and I expect that other similar attack vectors exist.”
  • Tripwire noted that this vulnerability is concerning since it does not require any interaction by the user.

What you can do

Samsung released a patch for this, which can be found in its May 2020 security update. Customers owning a Samsung device from 2014 or later, should install the update.

Worth noting

  • All Samsung flagships released in 2014 and later are plagued with some sort of Qmage-related bugs. These devices include Galaxy S5, Galaxy Note 4, and the complete Galaxy A series.
  • This attack can also happen without the user getting any text notification.
  • For the vulnerability to be exploited, it would take around 50-300 MMS attacks, which can be accomplished in 2 hours.

In essence

The exploit spends the first 100 minutes locating the address space layout on the victim’s phone to find the base addresses of two libraries required for remote code execution. This zero-click vulnerability reverberates with the zero-click vulnerability found in the Apple ecosystem.