Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
Samsung is patching a critical security issue affecting all its Android smartphones dating back to 2014, including Galaxy phones. A "zero-click" vulnerability, this newly discovered flaw could let a hacker wreak havoc on your phone by simply sending you a specific type of image, exploiting your device without any user action.
As reported by ZDNet, this vulnerability was discovered by Mateusz Jurczyk, a security researcher on Google's Project Zero team. Jurczyk notes that this flaw has to do with how Samsung phones handle the Qmage image format (.qmg), which is supported on all Galaxy devices from late 2014 onward, beginning with Android 4.4.4 KitKat.
- The best password managers to keep yourself safe
- Our picks for the best Android antivirus apps
- Latest: OnePlus 8T could crush Samsung Galaxy Note 20 with upgrade
How the attack works
As Jurczyk demonstrated in a video, this vulnerability could allow hackers to take advantage of the Skia image library, which all images sent to an Android device go through for processing to create things such as thumbnail previews. The flaw doesn't exist in non-Samsung phones.
Jurczyk used the Samsung Messages app by sending a series of multimedia SMS messages to a Samsung device, with each text attempting to find the location of the Skia library in the phone's memory.
Once the Skia library is located, one final multimedia message is sent with a Qmage file, which can then attack a phone with malicious code. As this is a zero-click attack, users would immediately be impacted, even if they don't open the message.
According to Jurczyk, the attack would require between 50 and 300 multimedia messages to bypass Android's ASLR (Address Space Layout Randomization) protection and find the vulnerable spot in system memory, which could be done in less than 2 hours.
He also notes that he's found ways to get the MMS messages processed without triggering a notification, meaning that this attack can happen without a user even getting a text alert.
What to do if you're affected
This flaw was patched in Samsung's May 2020 Security Update for Android, so if you own a Samsung device from 2014 or later, make sure to install the update when you get it.
Jurczyk said that "all Samsung Android devices released since late 2014 / early 2015 up to today's flagships are affected by some or all of the Qmage-related bugs," which includes the Samsung Galaxy Note 4 and newer, Galaxy S5 and newer, and the entire Samsung Galaxy A (Alpha) series.
