Samsung addresses a zero-click vulnerability in May 2020 security patch

Samsung Sign on building entrance

Last week, Samsung rolled out its May 2020 security patch last week. The patch is meant to fix a "critical" remote code execution bug impacting Samsung mobile devices sold since 2014. The bug is tracked as SVE-2020-16747 in the update and is the result of Samsung devices' handling of the custom Qmage image format. As it turns out, hackers can exploit the flaw in a zero-click scenario, meaning it can work without a users' knowledge or any interaction with the device.

Mateusz Jurczyk, a security researcher with Project Zero, discovered the bug in February. He noted that the bug provided hackers with a means of exploiting how Android’s graphics library, Skia, handles Qmage images sent to Samsung mobile devices.

According to Jurczyk, after receiving an image file via the Samsung Messages app, Android then redirects it to the Skia library for processing. However, image files with the .qmg format can be exploited as they can locate the Skia library within the phone's memory, allowing hackers to execute codes without a user's knowledge or interaction with the device. In doing so, hackers could gain access to a variety of personal user data.

After discovering the vulnerability in February, Jurczyk took action by reporting the critical bug to Samsung. In doing so, he also provided a proof of concept that demonstrated the bug and how hackers could exploit it.

The good news is that by working with Project Zero researchers, Samsung has patched this critical vulnerability. Included in the company's most recent security update, the patch "adds the proper validation to prevent memory overwrite." Owners of post-2014 Samsung devices have been advised to apply this update immediately, especially that the vulnerability’s existence is now very well-known.