All Samsung phones since 2014 vulnerable to scary 'zero-click' attack — what to do
New exploit can stealthily attack your phone
Samsung is patching a critical security issue affecting all its Android smartphones dating back to 2014, including Galaxy phones. A "zero-click" vulnerability, this newly discovered flaw could let a hacker wreak havoc on your phone by simply sending you a specific type of image, exploiting your device without any user action.
As reported by ZDNet, this vulnerability was discovered by Mateusz Jurczyk, a security researcher on Google's Project Zero team. Jurczyk notes that this flaw has to do with how Samsung phones handle the Qmage image format (.qmg), which is supported on all Galaxy devices from late 2014 onward, beginning with Android 4.4.4 KitKat.
- The best password managers to keep yourself safe
- Our picks for the best Android antivirus apps
- Latest: OnePlus 8T could crush Samsung Galaxy Note 20 with upgrade
How the attack works
As Jurczyk demonstrated in a video, this vulnerability could allow hackers to take advantage of the Skia image library, which all images sent to an Android device go through for processing to create things such as thumbnail previews. The flaw doesn't exist in non-Samsung phones.
Jurczyk used the Samsung Messages app by sending a series of multimedia SMS messages to a Samsung device, with each text attempting to find the location of the Skia library in the phone's memory.
Once the Skia library is located, one final multimedia message is sent with a Qmage file, which can then attack a phone with malicious code. As this is a zero-click attack, users would immediately be impacted, even if they don't open the message.
According to Jurczyk, the attack would require between 50 and 300 multimedia messages to bypass Android's ASLR (Address Space Layout Randomization) protection and find the vulnerable spot in system memory, which could be done in less than 2 hours.
He also notes that he's found ways to get the MMS messages processed without triggering a notification, meaning that this attack can happen without a user even getting a text alert.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
What to do if you're affected
This flaw was patched in Samsung's May 2020 Security Update for Android, so if you own a Samsung device from 2014 or later, make sure to install the update when you get it.
Jurczyk said that "all Samsung Android devices released since late 2014 / early 2015 up to today's flagships are affected by some or all of the Qmage-related bugs," which includes the Samsung Galaxy Note 4 and newer, Galaxy S5 and newer, and the entire Samsung Galaxy A (Alpha) series.
Mike Andronico is Senior Writer at CNNUnderscored. He was formerly Managing Editor at Tom's Guide, where he wrote extensively on gaming, as well as running the show on the news front. When not at work, you can usually catch him playing Street Fighter, devouring Twitch streams and trying to convince people that Hawkeye is the best Avenger.
-
fs.gcs admin said:Samsung just patched a dangerous 'zero-click' vulnerability that allows hackers to attack phones with image files.
All Samsung phones since 2014 vulnerable to scary 'zero-click' attack — what to do : Read more
The 'scope' section of the Samsung Security Updates page defines what devices will get update and when. Anything older than a Galaxy 8 won't get the security update.