Samsung patches security vulnerability impacting all Galaxy phones sold since 2014


Android gets a lot of flak for security, but most of the time errors can be traced back to changes that were made to the open-source platform. This week, a security vulnerability in every Android phone Samsung has sold since 2014 was patched after being exposed by Google’s Project Zero.

Project Zero is a team within Google that focuses on finding major vulnerabilities in various platforms, and recently, they discovered exactly that with Samsung. On every Android phone Samsung has sold since 2014, a security vulnerability was found that could be exploited with no user interaction or notification that could deliver an attacker’s code to the system.

How does this work? ZDNet explains that the attack goes after Android’s graphics library — Skia — using .qmg files. Samsung customized the way that its Android smartphones handle this image format specifically, in turn leaving this vulnerability open.

By sending MMS messages to a Samsung device using the Samsung Messages app, Qmage files could exploit Skia and bypass Android’s Address Space Layout Randomization protection. This attack takes multiple MMS messages since it takes time for the file to “guess” where the Skia is located. Once it is found, though, a final message can execute the attacker’s code.

The process generally takes around 100 minutes and between 50 and 300 messages to complete.

Samsung has already fixed this issue for many users, too. The May 2020 security patch that is already rolling out fixes the problem for any affected Galaxy smartphone. The Galaxy S20 and Galaxy S10 series, for example, have already been patched with more devices to follow. To reiterate, it does not affect other Android smartphones.

More on Samsung:

FTC: We use income earning auto affiliate links. More.


Check out 9to5Google on YouTube for more news:

About the Author

Ben Schoon’s favorite gear

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *