Samsung has released a security update for its popular Android smartphones with a crucial solution to a security vulnerability that affects all devices sold by the manufacturer since 2014.
On the Android security update page, Samsung researcher Mateusz Jurczyk from Google’s Project Zero thanks for discovering a vulnerability that he believes can be used to execute malicious code on a target device without alerting the user.
If the attack is successful, the hacker can remotely access a variety of information – including call logs, address book, SMS archives, etc. – and use this information to access the attacker’s computer.
In a video on YouTube, the researcher shows how a vulnerability can be exploited by an attacker who sends an image of a trap via MMS to a device.
The poisoned file is a Samsung Qmage (or QMG) user image, which uses a vulnerability in the image library codec used on Samsung smartphones to overwrite the memory and execute the code remotely.
What makes this vulnerability particularly relevant is the claim that it can be exploited without any user interaction, a zero click scenario in which, for example, a vulnerable phone that simply generates a thumbnail preview of an alert message could actually allow the attack.
And don’t think that even if a message doesn’t appear, your smartphone will still sound like you’ve received a poisoned message. Although the demonstration of his video in support of the concept does not try to be silent or invisible, after a few short experiments I have found ways to process MMS messages completely on Android without sound notifications, so that completely hidden attacks are possible.
According to Jurik’s article on Project Zero, the code used to work with QMG files is complex and may not have been scanned properly for potential security issues:
The complexity of the Qmage codec is very high – QMG files can choose from several custom compression schemes, each of which is treated by a long and incomprehensible decompression routine. The library has dozens of functions with a length of more than 4 kB, one of the longest functions (QuramQumageDecoder32bit24bit) has a length of 40 kB (!). The result is tens of thousands of lines of C code that have most likely never been thoroughly tested in the form of security audits or fuzzy tests. My conclusion is based on the fact that the code does not seem to control the boundaries at any point in the file analysis and that almost every trivial change to the actual test stops immediately (e.g. if the image size is increased slightly).
But there’s also good news.
First, the vulnerability is specific to software shipped with Samsung Android devices since late 2014/early 2015. This means that if you are using another Android smartphone from another manufacturer, you should not be vulnerable to this vulnerability.
Secondly, Google Project Zero did not release its proof-of-concept code, but preferred to publish a demo video. This reduces the chance that someone will adopt the attack code and adapt it to Samsung’s unpatented smartphones for their own malicious purposes.
Thirdly, Yurchik says that for an attack to succeed, it typically takes 50 to 300 MMS to be sent to the target device before it can successfully bypass some of the security measures built in Android. Since such an attack lasts about 100 minutes (the actual duration may depend on a number of factors), then to carry it out.
Last but not least, Yurchik responsibly reported a critical safety issue with Samsung in January, but postponed the release until this week – giving the phone manufacturer time to develop a patch (SVE-2020-16747) for its millionth user.
Editor’s note : The opinions expressed in this guest article are those of the author alone and do not necessarily reflect the opinion of Tripwire, Inc.