Date:08/05/20
The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.
Mateusz Jurczyk, a security researcher with Google's Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device.
Jurczyk says the Qmage bug can be exploited in a zero-click scenario, without any user interaction. This happens because Android redirects all images sent to a device to the Skia library for processing -- such as generating thumbnail previews -- without a user's knowledge.
The researcher developed a proof-of-concept demo exploiting the bug against the Samsung Messages app, included on all Samsung devices and responsible for handling SMS and MMS messages.
Jurczyk said he exploited the bug by sending repeated MMS (multimedia SMS) messages to a Samsung device. Each message attempted to guess the position of the Skia library in the Android phone's memory, a necessary operation to bypass Android's ASLR (Address Space Layout Randomization) protection.
Jurczyk says that once the Skia library was located in memory, a last MMS delivers the actual Qmage payload, which then executed the attacker's code on a device.
The Google researcher says the attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR, which usually takes around 100 minutes, on average.
Furthermore, Jurczyk says that while the attack might look noisy, it can also be modified to execute without alerting the user.
"I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible," the Google researcher says.
In addition, Jurczyk says that while he did not test exploiting the Qmage bug through other methods outside MMS and the Samsung Messages app, exploitation is theoretically possible against any app running on a Samsung phone that can receive Qmage images from a remote attacker.
The researcher discovered the vulnerability in February and reported the issue to Samsung. The South Korean phone maker patched the bug in its May 2020 security updates.
The bug is tracked as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database.
Other smartphones don't appear to be impacted as only Samsung appears to have modified the Android OS to support the custom Qmage image format -- developed by South Korean company Quramsoft.
This bug report is part of Project Zero's recent focus on the zero-click attack surface in modern operating systems, and especially in their graphics processing code. Previously Google researchers also disclosed 14 zero-click bugs in Image I/O, Apple's image parsing framework.
Samsung patches 0-click vulnerability impacting all smartphones sold since 2014
South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014.The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.
Mateusz Jurczyk, a security researcher with Google's Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device.
Jurczyk says the Qmage bug can be exploited in a zero-click scenario, without any user interaction. This happens because Android redirects all images sent to a device to the Skia library for processing -- such as generating thumbnail previews -- without a user's knowledge.
The researcher developed a proof-of-concept demo exploiting the bug against the Samsung Messages app, included on all Samsung devices and responsible for handling SMS and MMS messages.
Jurczyk said he exploited the bug by sending repeated MMS (multimedia SMS) messages to a Samsung device. Each message attempted to guess the position of the Skia library in the Android phone's memory, a necessary operation to bypass Android's ASLR (Address Space Layout Randomization) protection.
Jurczyk says that once the Skia library was located in memory, a last MMS delivers the actual Qmage payload, which then executed the attacker's code on a device.
The Google researcher says the attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR, which usually takes around 100 minutes, on average.
Furthermore, Jurczyk says that while the attack might look noisy, it can also be modified to execute without alerting the user.
"I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible," the Google researcher says.
In addition, Jurczyk says that while he did not test exploiting the Qmage bug through other methods outside MMS and the Samsung Messages app, exploitation is theoretically possible against any app running on a Samsung phone that can receive Qmage images from a remote attacker.
The researcher discovered the vulnerability in February and reported the issue to Samsung. The South Korean phone maker patched the bug in its May 2020 security updates.
The bug is tracked as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database.
Other smartphones don't appear to be impacted as only Samsung appears to have modified the Android OS to support the custom Qmage image format -- developed by South Korean company Quramsoft.
This bug report is part of Project Zero's recent focus on the zero-click attack surface in modern operating systems, and especially in their graphics processing code. Previously Google researchers also disclosed 14 zero-click bugs in Image I/O, Apple's image parsing framework.
Views: 463
©ictnews.az. All rights reserved.Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World