South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014.
The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.
Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device.
Bug can be exploited without user interaction
Jurczyk says the Qmage bug can be exploited in a zero-click scenario, without any user interaction. This happens because Android redirects all images sent to a device to the Skia library for processing — such as generating thumbnail previews — without a user’s knowledge.
The researcher developed a proof-of-concept demo exploiting the bug against the Samsung Messages app, included on all Samsung devices and responsible for handling SMS and MMS messages.
Jurczyk said he exploited the bug by sending repeated MMS (multimedia SMS) messages to a Samsung device. Each message attempted to guess the position of the Skia library in the Android phone’s memory, a necessary operation to bypass Android’s ASLR (Address Space Layout Randomization) protection.
Jurczyk says that once the Skia library was located in memory, a last MMS delivers the actual Qmage payload, which then executed the attacker’s code on a device.
The Google researcher says the attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR, which usually takes around 100 minutes, on average.
Furthermore, Jurczyk says that while the attack might look noisy, it can also be modified to execute without alerting the user.
“I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible,” the Google researcher says.
In addition, Jurczyk says that while he did not test exploiting the Qmage bug through other methods outside MMS and the Samsung Messages app, exploitation is theoretically possible against any app running on a Samsung phone that can receive Qmage images from a remote attacker.
Bug patched this week
The researcher discovered the vulnerability in February and reported the issue to Samsung. The South Korean phone maker patched the bug in its May 2020 security updates.
The bug is tracked as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database.
Other smartphones don’t appear to be impacted as only Samsung appears to have modified the Android OS to support the custom Qmage image format — developed by South Korean company Quramsoft.
This bug report is part of Project Zero’s recent focus on the zero-click attack surface in modern operating systems, and especially in their graphics processing code. Previously Google researchers also disclosed 14 zero-click bugs in Image I/O, Apple’s image parsing framework.
Jurczyk’s technical report on the Qmage bug is available here.