All Samsung phones since 2014 vulnerable to scary 'zero-click' attack — what to do

Samsung Galaxy S20
(Image credit: Tom's Guide)

Samsung is patching a critical security issue affecting all its Android smartphones dating back to 2014, including Galaxy phones. A "zero-click" vulnerability, this newly discovered flaw could let a hacker wreak havoc on your phone by simply sending you a specific type of image, exploiting your device without any user action. 

As reported by ZDNet, this vulnerability was discovered by Mateusz Jurczyk, a security researcher on Google's Project Zero team. Jurczyk notes that this flaw has to do with how Samsung phones handle the Qmage image format (.qmg), which is supported on all Galaxy devices from late 2014 onward, beginning with Android 4.4.4 KitKat. 

How the attack works

As Jurczyk demonstrated in a video, this vulnerability could allow hackers to take advantage of the Skia image library, which all images sent to an Android device go through for processing to create things such as thumbnail previews. The flaw doesn't exist in non-Samsung phones.

Jurczyk used the Samsung Messages app by sending a series of multimedia SMS messages to a Samsung device, with each text attempting to find the location of the Skia library in the phone's memory. 

Once the Skia library is located, one final multimedia message is sent with a Qmage file, which can then attack a phone with malicious code. As this is a zero-click attack, users would immediately be impacted, even if they don't open the message.

According to Jurczyk, the attack would require between 50 and 300 multimedia messages to bypass Android's ASLR (Address Space Layout Randomization) protection and find the vulnerable spot in system memory, which could be done in less than 2 hours. 

He also notes that he's found ways to get the MMS messages processed without triggering a notification, meaning that this attack can happen without a user even getting a text alert. 

What to do if you're affected

This flaw was patched in Samsung's May 2020 Security Update for Android, so if you own a Samsung device from 2014 or later, make sure to install the update when you get it.

Jurczyk said that "all Samsung Android devices released since late 2014 / early 2015 up to today's flagships are affected by some or all of the Qmage-related bugs," which includes the Samsung Galaxy Note 4 and newer, Galaxy S5 and newer, and the entire Samsung Galaxy A (Alpha) series. 

Michael Andronico

Mike Andronico is Senior Writer at CNNUnderscored. He was formerly Managing Editor at Tom's Guide, where he wrote extensively on gaming, as well as running the show on the news front. When not at work, you can usually catch him playing Street Fighter, devouring Twitch streams and trying to convince people that Hawkeye is the best Avenger.

  • fs.gcs
    admin said:
    Samsung just patched a dangerous 'zero-click' vulnerability that allows hackers to attack phones with image files.

    All Samsung phones since 2014 vulnerable to scary 'zero-click' attack — what to do : Read more

    The 'scope' section of the Samsung Security Updates page defines what devices will get update and when. Anything older than a Galaxy 8 won't get the security update.
    Reply