Samsung addresses a zero-click vulnerability in May 2020 security patch
Samsung Smartphones since 2014 have suffered a critical vulnerability
Last week, Samsung rolled out its May 2020 security patch last week. The patch is meant to fix a "critical" remote code execution bug impacting Samsung mobile devices sold since 2014. The bug is tracked as SVE-2020-16747 in the update and is the result of Samsung devices' handling of the custom Qmage image format. As it turns out, hackers can exploit the flaw in a zero-click scenario, meaning it can work without a users' knowledge or any interaction with the device.
Mateusz Jurczyk, a security researcher with Project Zero, discovered the bug in February. He noted that the bug provided hackers with a means of exploiting how Android’s graphics library, Skia, handles Qmage images sent to Samsung mobile devices.
According to Jurczyk, after receiving an image file via the Samsung Messages app, Android then redirects it to the Skia library for processing. However, image files with the .qmg format can be exploited as they can locate the Skia library within the phone's memory, allowing hackers to execute codes without a user's knowledge or interaction with the device. In doing so, hackers could gain access to a variety of personal user data.
After discovering the vulnerability in February, Jurczyk took action by reporting the critical bug to Samsung. In doing so, he also provided a proof of concept that demonstrated the bug and how hackers could exploit it.
The good news is that by working with Project Zero researchers, Samsung has patched this critical vulnerability. Included in the company's most recent security update, the patch "adds the proper validation to prevent memory overwrite." Owners of post-2014 Samsung devices have been advised to apply this update immediately, especially that the vulnerability’s existence is now very well-known.
How to be an MSP: Seven steps to success
Building your business from the ground upDownload now
The smart buyer’s guide to flash
Find out whether flash storage is right for your businessDownload now
How MSPs build outperforming sales teams
The definitive guide to salesDownload now
The business guide to ransomware
Everything you need to know to keep your company afloatDownload now