Google Project Zero team experts discovered a critical bug that has threatened Samsung smartphones since 2014. Samsung developers have already fixed this vulnerability.
The vulnerability has the identifier SVE-2020-16747 in the Samsung security bulletin, as well as the identifier CVE-2020-8899 according to the Mite CVE classification.The root of the problem is how the Android version running on Samsung devices handles the Qmage image format (.qmg), which Samsung smartphones started supporting six years ago.
Researchers have found a way to use Skia (the Android graphics library that processes Qmage images) for malicious activity.
The operation of the bug did not require any interaction with the user, since Android redirects all received Qmage images to the Skia library for processing (for example, to create preview thumbnails) and does this without the user’s awareness”, — said Google Project Zero researchers.
Experts demonstrated a proof-of-concept of the bug operation on the example of the Samsung Messages application, which is installed “out of the box” on all Samsung smartphones and is used to work with SMS and MMS messages.
However, it is theoretically possible to operate through any other application running on a Samsung phone, if it is able to receive Qmage images from a remote attacker.
By the way, this is not the first time we are talking about the fact that Samsung smartphones can be hacked using SMS.
To exploit the vulnerability, experts sent MMS messages to the device, each of which tried to get ahead of the Skia library location in the phone’s memory, which was necessary to bypass Android ASLR protection.
As soon as the Skia library was detected, the last MMS message was delivered to the device payload in Qmage image format, through which the attacker code was executed on the device.
On average, such an attack takes from 50 to 300 MMS messages to detect Skia and bypass ASLR, and it takes about 100 minutes.
Although at first glance such an attack seems quite “noisy” and clearly attracts the attention of the user, the researchers managed to find ways to completely turn off the notification sound for MMS messages, which makes the attack secret and more dangerous.
Google Project Zero experts discovered the vulnerability in February this year and immediately reported it to Samsung engineers. Currently, the South Korean manufacturer has already fixed the problem: the patch was included in the security updates for May 2020.