If you own a Samsung mobile device, keep an eye out for a very specific security patch (SVE-2020-16747) for the company’s iteration of Android. That update includes a fix for a vulnerability that has existed in the operating system since 2014, but was only recently discovered and reported by Mateusz Jurczyk, a researcher with Google Project Zero. It’s unclear if the vulnerability was known to, or exploited by, any malicious actors prior to Jurczyk’s discovery in January 2020. What is clear is that the loophole it left in Samsung’s mobile security was sizeable.
To understand the vulnerability and its potential for exploitation, some background on Samsung’s Android overlay is needed. Samsung uses their proprietary Qmage (.qmg) image format on their mobile devices. The accompanying codec has, according to Jurczyk, a “very high” degree of complexity and “tens of thousands” of lines of code that have never been vetted for security risks. This is especially worrisome because, as is common for codecs, this one has some limited ability to overwrite memory—and possibly embed malicious executables in the process. The massive amount of untested code provides a perfect hiding place and point of attack.
More troublesome is that malicious SMS messages intended to take advantage of the vulnerability could do so without ever being opened—true no-click attacks. This is because Android displays a thumbnail of images received via SMS, which necessarily prompts the codec into action. Jurczyk notes that a malicious actor with the right skills could even send nearly invisible SMS messages to target devices by including script that would disable notifications and alert tones, rendering users completely unaware that their devices were under attack. That mitigates one of the only saving graces of the vulnerability, which is the relatively small chance of success of any single SMS attack. Jurczyk had to send more than 300 SMS messages to a single device before the embedded executable ran correctly.
Samsung’s patch went OTA throughout May; all supported devices should now be updated to at least SVE-2020-16747, and Samsung users should be safe from attacks launched through .qmg files. While it’s alarming to think that this considerable security vulnerability went unpatched for 6 years, it’s important to remember that it appears to have taken just as long to be discovered (or widely known). Samsung users shouldn’t take this as a sign of lax or poor security on Samsung’s part.