Samsung just fixed a bug that existed in all its smartphones ever since 2014, reveals Google researcher

Samsung's May 2020 software update reportedly fixed a vulnerability in smartphones that allowed hackers to exploit the device remotely, without user intervention. This vulnerability was found in all Samsung phones that were launched since 2014, as reported by ZDNet. And it was discovered by Mateusz Jurczyk, a security researcher with Google's Project Zero team.

The bug was said to be related to Skia (the Android graphics library) and how it handled the custom Qmage image format (.qmg), something that the South Korean tech firm started supporting on its devices since 2014.

As per Jurczyk, the Qmage bug could be exploited without any user interaction. That's because the Android OS redirects all the images sent to the device, to Skia library for processing, whch includes creating thumbnails and more, without bothering the user.

Also read: Samsung is planning some major upgrades to its Galaxy S21 camera

So, the researcher developed a demo that used the vulnerability along with Samsung Messages app, which is there in all the smartphones. This app not just handles the SMS texts but MMS multimedia as well. Jurczyk was able to exploit the bug by sending MMS repeatedly to a Samsung device. These were sent to locate the Skia library in the Android phone, something that is important to bypass Android's ASLR (Address Space Layout Randomization) protection. Once located, the last MMS delivers the Qmage payload on the device.

The researcher even added that the SMS or MMS sent to the user can be configured to reach the handset without any alerts. "I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible," said Jurczyk.

Also mentioned what that this bug is not related to Samsung Messages app only and can be on any app that supports Qmage.