Samsung addresses a zero-click vulnerability in May 2020 security patch

Samsung Smartphones since 2014 have suffered a critical vulnerability

Last week, Samsung rolled out its May 2020 security patch last week. The patch is meant to fix a "critical" remote code execution bug impacting Samsung mobile devices sold since 2014. The bug is tracked as SVE-2020-16747 in the update and is the result of Samsung devices' handling of the custom Qmage image format. As it turns out, hackers can exploit the flaw in a zero-click scenario, meaning it can work without a users' knowledge or any interaction with the device. 

Mateusz Jurczyk, a security researcher with Project Zero, discovered the bug in February. He noted that the bug provided hackers with a means of exploiting how Android’s graphics library, Skia, handles Qmage images sent to Samsung mobile devices. 

According to Jurczyk, after receiving an image file via the Samsung Messages app, Android then redirects it to the Skia library for processing. However, image files with the .qmg format can be exploited as they can locate the Skia library within the phone's memory, allowing hackers to execute codes without a user's knowledge or interaction with the device. In doing so, hackers could gain access to a variety of personal user data.

After discovering the vulnerability in February, Jurczyk took action by reporting the critical bug to Samsung. In doing so, he also provided a proof of concept that demonstrated the bug and how hackers could exploit it.

The good news is that by working with Project Zero researchers, Samsung has patched this critical vulnerability. Included in the company's most recent security update, the patch "adds the proper validation to prevent memory overwrite." Owners of post-2014 Samsung devices have been advised to apply this update immediately, especially that the vulnerability’s existence is now very well-known.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Samsung selects Texas for $17 billion semiconductor factory
components

Samsung selects Texas for $17 billion semiconductor factory

25 Nov 2021
Samsung 870 Evo review: Ticks all the boxes
solid state storage (SSD)

Samsung 870 Evo review: Ticks all the boxes

24 Nov 2021
Samsung 980 Pro review: Smashing speeds
solid state storage (SSD)

Samsung 980 Pro review: Smashing speeds

19 Nov 2021
Samsung T7 Touch review: One smart-looking SSD
solid state storage (SSD)

Samsung T7 Touch review: One smart-looking SSD

10 Nov 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022