No matter how good a product is, there is always a chance for a flaw to be found.
This was experienced by the South Korean smartphone vendor Samsung. It was revealed that it had a security bug that affected all of its devices released since late 2014. That according to Mateusz Jurczyk, a security researcher from Google's Project Zero bug-hunting team.
Jurczyk found that the flaw resided in how Android since version 4.4.4 KitKat on Samsung handled the Qmage image format (.qmg), which is a custom format developed by South Korean company Quramsoft.
Samsung smartphones started supporting this format on all of its devices released since late 2014.
The flaw happened to be in the way Skia (the Android graphics library) handled Qmage images sent to a device.
By default, Android operating system would redirect all images sent to a device to Skia for processing, such as to generate thumbnail previews, all without users' knowledge.
Jurczyk said that the Qmage bug can be exploited in a zero-click scenario, without any user interaction.
Qmage image format is a Samsung Phone Theme Graphics format.
It is simply a part of Samsung mobile phones' theme; it saves a graphic for a part of the theme (.smt file); can be for the phone background, a button, or another visual item; to then be compiled into a proprietary Samsung binary format.
The Qmage image format is originally .png, but are compiled into an .smt file along with an .xml file that specifies where the Qmage files should be displayed.
While Samsung stores it in a proprietary binary format to prevent other apps from reading it, malicious attempts can still exploit the bug, simply because Qmage format is a Samsung Phone Theme Graphics, meaning that can be related to a lot of other extensions.
So naturally, other apps may also use and create the .qmg file extension.
The researcher developed a proof-of-concept demonstration to show how to exploit the bug against the Samsung Messages, an app included on all Samsung devices, responsible for handling SMS and MMS messages.
Jurczyk said he exploited the bug by sending repeated MMS (multimedia SMS) messages to a Samsung device. When the recipient Samsung device received the message, each message will attempt to guess the location of the Skia library in the Android phone's memory.
Jurczyk sent the messages to a Samsung device, repeatedly in order to bypass Android's ASLR (Address Space Layout Randomization) protection.
What happens here, each text received will try to find the location of the Skia library in the phone's memory.
And once found, Jurczyk sent one final MMS, but this time with a Qmage file, which can then attack a phone with malicious code.
As this is a zero-click attack, users would immediately be impacted, even if they don't open the message.
What the attacker needed, is only sending between 50 to 300 MMS messages to probe the phone's memory and bypass the ASLR. According to the Google researcher, it can take around 100 minutes, on average, to breach a Samsung phone.
He also noted that he found ways to get the MMS messages processed on victims' phone without triggering a notification, meaning that this attack can happen without a user even getting a text alert.
Jurczyk also added that it should be theoretically possible to launch this kind of attack by targeting any app running on a Samsung phone that can receive Qmage images from a remote attacker.
The researcher discovered the vulnerability in February and quickly reported the issue to Samsung.
The South Korean phone maker then patched the bug in its May 2020 Security Update for Android.
The bug is tracked as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database.
Jurczyk said on his report that "all Samsung Android devices released since late 2014/early 2015 up to today's flagships are affected by some or all of the Qmage-related bugs."
What this means, affected devices include the Samsung Galaxy Note 4 and newer, Galaxy S5 and newer to even the Note 10+, the Samsung Galaxy A series, and more.
The flaw doesn't exist in non-Samsung phones.
This is because only Samsung appears to have modified its Android to support the custom Qmage image format.
This bug report is part of Project Zero's focus on finding zero-click attack surface in modern operating systems, and especially in their graphics processing code.