Samsung Reveals Critical Vulnerabilities in All Smartphones Released After 2014

A patch to fix the vulnerability has been released by Samsung, although it remains unclear when owners of Samsung Galaxy devices will receive it, as even newly-released smartphones are vulnerable.
Sputnik

As monthly security updates for Samsung roll out, Google's Project Zero researchers revealed details on a vulnerability in Samsung Android smartphones released in or after 2014. The bag was initially reported to Samsung in January.

The vulnerability is connected with how the Android operating system (OS) processes images of a particular format. An exploit using the vulnerability could potentially allow an intruder to gain control of the device through a code executed on the smartphone.

Samsung Galaxy smartphones handle images through the use of the qmg. file type, through the Skia library, something that a user has no control over. Mateusz Jurczyk, a Project Zero researcher who discovered the vulnerability, proved his disclosure by creating a series of MMS messages that were sent to a Samsung Galaxy 10+. The messages then located the Skia library on the device delivered the exploit, which, if performed by those with criminal intent, could contain malicious code that can be remotely executed. 

The code would be able to overwrite memory in the device almost immediately upon arrival via MMS, and a user does not have to open or interact the message. Moreover, a user would not know their smartphone was under attack, as this is 'zero-click' technology can avoid alerting a user as to what is happening.

"I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible," Jurczyk said to ZDnet.

The Samsung Android OS weak spot is being tracked as CVE-2020-8899 exploitability, and is described as: 

"An unauthenticated, unauthorized attacker sending a specially-crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction."

Following the discovery, Samsung released updates that contain a patch that appears to overcome the problem. However, it is not yet clear when Samsung owners will be able to obtain this patch, as even newly-released devices like the Galaxy 10+ are yet to receive it.

Similar vulnerabilities in the Apple ecosystem were discovered by Google researchers in the end of April, revealing that the Mac IOS could be affected by data received from outside sources without the knowledge of, or interaction by, the user, particularly if users do not update their devices.

Discuss