Samsung started rolling out the May 2020 Security Patch last week. The security patch fixes a “critical” remote code execution (RCE) bug plaguing all Samsung mobiles sold since 2014. The security flaw resides in Samsung devices’ handling of the custom Qmage image format (.qmg) that is processed by Android’s graphics library called Skia. This security flaw can be exploited in a zero-click scenario, which means that it can work without users’ knowledge or without any kind of interaction with the device. Meanwhile, Samsung has acknowledged the security issue and its May security update contains the fix. It is uncertain whether the fix will be rolled out to all affected devices however, and we’ve reached out to the company for clarity on eligible devices.
What is the security flaw?
The security flaw resides with how Samsung devices interact with the Qmage image format was pointed by Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team and was first reported by ZDNet. According to Jurczyk, once a Samsung user receives an image file via Samsung Messages app, Android redirects all images to the Skia library for processing. However, the image files with .qmg format can be exploited as it can reveal the position of the Skia library in the phone’s memory. The research further states that it requires up to 300 MMS messages to probe and bypass Android’s Address Space Layout Randomisation (ASLR) protection. The whole process of locating the Skia library typically takes around 100 minutes.
What happens after the Skia library is located?
As per Jurczyk, once the Skia library is traced via the Qmage file (in this case through files received on Samsung Messages app), the hacker can execute codes without user’s interaction with the device. As for what the hacker gains here, Jurczyk indicates that the attacker gains full access to a variety of personal user information including call logs, contacts, microphone, storage, SMS messages, etc.
“After reporting the crashes, I spent several weeks working on a 0-click MMS exploit proof-of-concept for one of the vulnerabilities. I managed to achieve this goal with a Samsung Galaxy Note 10+ phone running Android 10.” The process of locating the Skia library on the Samsung device was also demonstrated in a video by the security researcher.
Samsung smartphones started supporting the custom Qmage format on all devices released since late 2014. Samsung is said to be the only manufacturer affected by the bug, as it is reportedly the only one that modified the Android OS on its devices to support the Qmage format, developed by South Korean firm Quramsoft.
What is Samsung saying?
Although Samsung has not released any statement about the Qmage security flaw, the company is, however, rolling out updates to fix the problem. Recently, Samsung Galaxy S20 Series received the May 2020 security patch that fixes the zero-click vulnerability dubbed as SVE-2020-16747. The bug can be found on the Samsung security bulletin that has listed it as a “critical” issue. It describes it as “A possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution.” As mentioned, it is uncertain which devices will receive fix, and we’ve reached out for clarity on this front.