Hack All Samsung Devices by just Sending MMS
Google Project Zero team discovered Zero-Click RCE bug all Samsung Devices
The security flaw resides in how the Android OS flavour running on Samsung devices handle the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.
This is bug categorised with the high severity as the exploitation of the bug doesn't need users interaction. This bug works because Android redirects all images sent to a device to the Skia library for processing such as generating thumbnail previews without a user's knowledge.
For demo and PoC, researchers showed the exploitation of the bug on Samsung latest flagship Galaxy Note 10+. The researcher performs the PoC against the Samsung Messages app, included on all Samsung devices and responsible for handling SMS and MMS messages.
Furthermore, once the Skia library was located in memory, the last MMS delivers the actual Qmage payload, which then executed the attacker's code on a device.
The attack usually needs between 50 and 300 MMS messages to probe and bypass the ASLR, which usually take some time.
As the attack is on messaging app, so there will be notification of MMS on target devices, which can be spammy. But for this Jurczyk says -
"I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible,"The researcher had reported the vulnerability to the Samsung team on February and in response, the fix has been done, which will be pushed in May security updates. So if you are using Samsung devices, it is highly recommended to check for updates under Setting →About section.
The bug is tracked as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database.