Categories: SecurityTechnology

Samsung Galaxy phone users are vulnerable to this critical security threat


Google security researchers discovered a high-risk security vulnerability that would affect every Samsung Galaxy smartphone sold from 2014.

Security issues are not uncommon for Android phones. And just recently, a team of Google security researchers had discovered a critical vulnerability that would affect every Samsung Galaxy smartphone sold since 2014.

This security vulnerability could be dangerous as attackers can exploit it with zero interaction.

Google’s Project Zero

Google has a special team in place to handle security vulnerabilities. Project Zero is a team of security researchers and experts tasked with searching and fixing security issues across various platforms.

It’s also the very same team that discovered a major security issue within Samsung Galaxy smartphones.

Zero-click perfect 10 vulnerability

Mateusz Jurczyk of Project Zero was the one who discovered the security threat. The security researcher found a way to exploit how the Android graphics library, the Skia, manages the Qmage images sent to a particular device.

The threat itself has received a perfect 10 on the common vulnerability scoring system (CVSS). This means its as dangerous as it can be.

And the most difficult part is the fact this vulnerability has existed since 2014.   That is around the time Samsung first supported the .qmg format in their Galaxy smartphone lineup.

Attackers can exploit this Qmage vulnerability without any actual interaction, a form of zero-click attack, to be exact. Through this vulnerability, it would be easy to insert attack codes on a Samsung Galaxy smartphone.

How the Qmage bug can be exploited

Jurczyk himself demonstrated how attackers could exploit the Qmage bug. According to the researcher, because all images sent to a device is redirected to the Skia for processing, one would simply need to locate the said graphics library.

This could be done by repeatedly sending multimedia SMS (MMS) to a particular device. Each of these messages is an attempt to locate the Skia in a device’s memory. Samsung and Android implement an Address Space Layout Randomization (ASLR) to add better security.

Sending MMS messages could potentially locate the randomized Skia location and bypass the ASLR. The messages sent could be around 50 to 300. Furthermore, the attack could take around 100 minutes to accomplish.

The final MMS would include the attacker’s code to be executed on the victim device.

What’s unfortunate about this is that attackers could silence the messages so the user wouldn’t know what is happening.

Resolved on the Samsung Galaxy

Project Zero had reported this vulnerability back in February. Since then, Samsung has taken ample time to ensure that a fix would arrive. Thankfully, they managed to accomplish that in their new May 2020 security patch.

This would fix the Qmage vulnerability in all Samsung Galaxy smartphones since 2014.

Images courtesy Emiliano Cicero and Christian Wiediger/Unsplash

Carlo Rodriguez

Carlo may have chosen to walk the path of a nutritionist-dietitian but writing will always be his first love. If he's not out there thinking of ways to make people healthy, he's out pondering about life and voicing out his opinions on the Internet.

Published by
Carlo Rodriguez

Recent Posts

‘PlayerUnknown’s Battlegrounds’ sequel ‘PUBG: New State’ revealed

PUBG: New State was announced today as the mobile sequel to the mother of modern…

4 hours ago

President Biden signs order to investigate semiconductor shortage

U.S. President Joe Biden has signed an executive order on Wednesday, asking to investigate the…

4 hours ago

Angelina Jolie shares how kids reprimand her of doing this one thing

Angelina Jolie shared how concern and caring her kids were by reprimanding her to do…

5 hours ago