Samsung Patches Critical 0-Click Vulnerability in Smartphones

Samsung this week released its May 2020 set of security updates for Android smartphones, which includes a patch for a critical vulnerability impacting all of its devices since 2014. 

In addition to the fixes in the Android Security Bulletin – May 2020, the phone maker’s updates patch 19 vulnerabilities specific to Samsung smartphones. The most important of these are two critical flaws in secure bootloader and in Quram library with decoding qmg. 

The first of the issues is a heap based buffer overflow that could allow for the bypass of secure boot and potentially result in arbitrary code execution. Samsung says it addressed the bug with proper validation, but does not provide further details on the vulnerability.

The second security flaw is memory overwrite issue that could result in the execution of arbitrary code remotely, and which resides in the Quram qmg library. 

The bug appears to affect all Samsung smartphones released since 2014, when the company added support for the custom Qmage image format (.qmg) that was designed by Korean third-party company Quramsoft.

Discovered by Google Project Zero security researcher Mateusz Jurczyk, the vulnerability can be exploited through malicious MMS (multimedia) messages, without user interaction. A video demonstration of the 0-click MMS exploit proof-of-concept is now available (but not the exploit code).

The researcher says that, since there are four major versions of Qmage, Samsung’s Android smartphones released since late 2014 / early 2015 are affected to different degrees. The most recent devices are likely impacted by the largest number of issues, given their included support for all versions of Qmage. 

The researcher exploited the bug on a Samsung smartphone running Android 10 (with the February 2020 patches installed), with the default Samsung Messages app set as the SMS/MMS handler. 

“The vulnerable codec executes in the context of the attacked app processing input images, so the attacker also gets the privileges of that app. In the case of my demo, that’s Samsung Messages, which has access to a variety of personal user information: call logs, contacts, microphone, storage, SMS etc,” Jurczyk says.

Only Samsung’s devices are affected, because the piece of vulnerable software ships only on the company’s devices. 

High severity flaws the South Korean phone maker patched this month include arbitrary code execution in Quram library with decoding jpeg, possible brute forcing attack in Gatekeeper Trustlet, and possible spoofing in selected Broadcom Bluetooth chipset (which uses PRNG with low entropy). 

Samsung did not provide information on all of the vulnerabilities addressed this month, but revealed that it patched five low severity flaws: leak of clipboard information via USSD in the locked state, possible heap overflow in bootloader, unauthorized change of preferred SIM card in locked state, possible relative buffer write in S.LSI Wi-Fi drivers, and FRP bypass with SPEN.

Related: Android’s May 2020 Patches Fix Critical System Vulnerability

Related: Protections Added by Samsung to Android Kernel Increase Attack Surface

Related: Facebook, Samsung, Ring Unveil New Privacy, Security Tools at CES 2020