Samsung May security patch fixes critical zero-click bug

Do you own a Samsung device sold after 2014 and wonder why there is a .qmg file on the device? Well, it is a critical vulnerability (code-named SVE-2020-16747) which gives access to hackers who can exploit your device. Now the South Korean electronics giant has finally fixed the issue which was brought to light by Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team. He found a way to exploit the Android graphics library – Skia and how it handles the Qmage images (.qmg files).

The remote execution (RCE) bug that can work without user’s knowledge was identified in February 2020. The Samsung Messages app delivers the image file which is redirected to Skia library where position of the library can be revealed via these files. It takes roughly 300 MMS messages to probe and bypass Android’s Address Space Layout Randomization (ASLR) protection.

After that, the hacker can execute the needed code to gain access to vital information including call logs, contacts, microphone, storage, or SMS messages. Mateusz told ZNet, “After reporting the crashes, I spent several weeks working on a 0-click MMS exploit proof-of-concept for one of the vulnerabilities. I managed to achieve this goal with a Samsung Galaxy Note 10+ phone running Android 10.” He also added that he can execute MMS messages without triggering a notification sound, which makes it a potent way to gain device access.

Only Samsung devices are affected by the bug since they are the only ones who tweak the stock Android to support Qmage format developed by South Korean firm Quramsoft. Samsung has acknowledged the flaw and now it’s rolling out the patch in May security update.