Samsung addresses a zero-click vulnerability in May 2020 security patch
Samsung Smartphones since 2014 have suffered a critical vulnerability
Last week, Samsung rolled out its May 2020 security patch last week. The patch is meant to fix a "critical" remote code execution bug impacting Samsung mobile devices sold since 2014. The bug is tracked as SVE-2020-16747 in the update and is the result of Samsung devices' handling of the custom Qmage image format. As it turns out, hackers can exploit the flaw in a zero-click scenario, meaning it can work without a users' knowledge or any interaction with the device.
Mateusz Jurczyk, a security researcher with Project Zero, discovered the bug in February. He noted that the bug provided hackers with a means of exploiting how Android’s graphics library, Skia, handles Qmage images sent to Samsung mobile devices.
According to Jurczyk, after receiving an image file via the Samsung Messages app, Android then redirects it to the Skia library for processing. However, image files with the .qmg format can be exploited as they can locate the Skia library within the phone's memory, allowing hackers to execute codes without a user's knowledge or interaction with the device. In doing so, hackers could gain access to a variety of personal user data.
After discovering the vulnerability in February, Jurczyk took action by reporting the critical bug to Samsung. In doing so, he also provided a proof of concept that demonstrated the bug and how hackers could exploit it.
The good news is that by working with Project Zero researchers, Samsung has patched this critical vulnerability. Included in the company's most recent security update, the patch "adds the proper validation to prevent memory overwrite." Owners of post-2014 Samsung devices have been advised to apply this update immediately, especially that the vulnerability’s existence is now very well-known.
B2B under quarantine
Key B2C e-commerce features B2B need to adopt to surviveDownload now
The top three IT pains of the new reality and how to solve them
Driving more resiliency with unified operations and service managementDownload now
The five essentials from your endpoint security partner
Empower your MSP business to operate efficientlyDownload now
How fashion retailers are redesigning their digital future
Fashion retail guideDownload now