Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Samsung Patches Critical 0-Click Vulnerability in Smartphones

Samsung this week released its May 2020 set of security updates for Android smartphones, which includes a patch for a critical vulnerability impacting all of its devices since 2014. 

Samsung this week released its May 2020 set of security updates for Android smartphones, which includes a patch for a critical vulnerability impacting all of its devices since 2014. 

In addition to the fixes in the Android Security Bulletin – May 2020, the phone maker’s updates patch 19 vulnerabilities specific to Samsung smartphones. The most important of these are two critical flaws in secure bootloader and in Quram library with decoding qmg. 

The first of the issues is a heap based buffer overflow that could allow for the bypass of secure boot and potentially result in arbitrary code execution. Samsung says it addressed the bug with proper validation, but does not provide further details on the vulnerability.

The second security flaw is memory overwrite issue that could result in the execution of arbitrary code remotely, and which resides in the Quram qmg library. 

The bug appears to affect all Samsung smartphones released since 2014, when the company added support for the custom Qmage image format (.qmg) that was designed by Korean third-party company Quramsoft.

Discovered by Google Project Zero security researcher Mateusz Jurczyk, the vulnerability can be exploited through malicious MMS (multimedia) messages, without user interaction. A video demonstration of the 0-click MMS exploit proof-of-concept is now available (but not the exploit code).

The researcher says that, since there are four major versions of Qmage, Samsung’s Android smartphones released since late 2014 / early 2015 are affected to different degrees. The most recent devices are likely impacted by the largest number of issues, given their included support for all versions of Qmage. 

The researcher exploited the bug on a Samsung smartphone running Android 10 (with the February 2020 patches installed), with the default Samsung Messages app set as the SMS/MMS handler. 

“The vulnerable codec executes in the context of the attacked app processing input images, so the attacker also gets the privileges of that app. In the case of my demo, that’s Samsung Messages, which has access to a variety of personal user information: call logs, contacts, microphone, storage, SMS etc,” Jurczyk says.

Only Samsung’s devices are affected, because the piece of vulnerable software ships only on the company’s devices. 

High severity flaws the South Korean phone maker patched this month include arbitrary code execution in Quram library with decoding jpeg, possible brute forcing attack in Gatekeeper Trustlet, and possible spoofing in selected Broadcom Bluetooth chipset (which uses PRNG with low entropy). 

Samsung did not provide information on all of the vulnerabilities addressed this month, but revealed that it patched five low severity flaws: leak of clipboard information via USSD in the locked state, possible heap overflow in bootloader, unauthorized change of preferred SIM card in locked state, possible relative buffer write in S.LSI Wi-Fi drivers, and FRP bypass with SPEN.

Related: Android’s May 2020 Patches Fix Critical System Vulnerability

RelatedProtections Added by Samsung to Android Kernel Increase Attack Surface

Related: Facebook, Samsung, Ring Unveil New Privacy, Security Tools at CES 2020

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet