Samsung addresses a zero-click vulnerability in May 2020 security patch

Samsung Smartphones since 2014 have suffered a critical vulnerability

Last week, Samsung rolled out its May 2020 security patch last week. The patch is meant to fix a "critical" remote code execution bug impacting Samsung mobile devices sold since 2014. The bug is tracked as SVE-2020-16747 in the update and is the result of Samsung devices' handling of the custom Qmage image format. As it turns out, hackers can exploit the flaw in a zero-click scenario, meaning it can work without a users' knowledge or any interaction with the device. 

Mateusz Jurczyk, a security researcher with Project Zero, discovered the bug in February. He noted that the bug provided hackers with a means of exploiting how Android’s graphics library, Skia, handles Qmage images sent to Samsung mobile devices. 

According to Jurczyk, after receiving an image file via the Samsung Messages app, Android then redirects it to the Skia library for processing. However, image files with the .qmg format can be exploited as they can locate the Skia library within the phone's memory, allowing hackers to execute codes without a user's knowledge or interaction with the device. In doing so, hackers could gain access to a variety of personal user data.

After discovering the vulnerability in February, Jurczyk took action by reporting the critical bug to Samsung. In doing so, he also provided a proof of concept that demonstrated the bug and how hackers could exploit it.

The good news is that by working with Project Zero researchers, Samsung has patched this critical vulnerability. Included in the company's most recent security update, the patch "adds the proper validation to prevent memory overwrite." Owners of post-2014 Samsung devices have been advised to apply this update immediately, especially that the vulnerability’s existence is now very well-known.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

No new Galaxy Note this year, Samsung exec confirms
Mobile Phones

No new Galaxy Note this year, Samsung exec confirms

27 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Samsung to support enterprise devices with five years of Android updates
Mobile Phones

Samsung to support enterprise devices with five years of Android updates

30 Jun 2021
Samsung becomes latest big name to pull out of MWC 2021
business continuity

Samsung becomes latest big name to pull out of MWC 2021

11 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Six ways boards can step up support for cyber security
Business strategy

Six ways boards can step up support for cyber security

22 Jul 2021