Zero-click critical bug fixed by Samsung in its latest May 2020 security update
Samsung Smartphone bought since 2014 had a critical bug known as zero-click. The bug resides a security flaw in how the Android OS fork running on Samsung devices handles the custom image format (.qmg). The flaw allowed potential hackers complete control of the Samsung smartphone or tablet by bypassing Android’s ASLR (Address Space Layout Randomization) protection.
What is .qmg image format?
The file is included as part of a Samsung mobile phone theme; it saves a graphic for a part of the theme (.SMT file); maybe for the phone background, a button, or another visual item; compiled into a proprietary Samsung binary format.
Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles .qmg images sent to a device.
Why it is known as a 0-click bug? As the .qmg can be exploited in a zero-click scenario, without any user interaction. This happens because Android redirects all images sent to a device to the Skia library for processing — such as generating thumbnail previews — without a user’s knowledge.
Jurczyk developed a proof that how the bug was exploited with the Samsung Messages app, included on all Samsung devices, and responsible for handling SMS and MMS messages. He exploited the bug by sending repeated MMS (multimedia SMS) messages to a Samsung device.
Each message attempted to guess the position of the Skia library in the Android phone’s memory, a necessary operation to bypass Android’s ASLR (Address Space Layout Randomization) protection. Once the Skia library was located in a memory, the last MMS delivers the actual .qmg payload, which then executed the attacker’s code on a device, said the researcher.
He also added “the attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR, which usually takes around 100 minutes, on average. While the attack might look noisy, it can also be modified to execute without alerting the user. I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible,”
Jurczyk discovered and reported the bug to Samsung in February. Samsung has now finally solved the bug in its May 2020 security Update. The bug is known as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database.
You can take a look at the Exploitation of Samsung Galaxy Note 10+ done by the Google researcher below: