Samsung patches 0-click vulnerability impacting all smartphones sold since 2014


Level 37
Feb 4, 2016
Samsung patched this month a critical bug discovered by Google security researchers.

South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014.

The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.

Mateusz Jurczyk, a security researcher with Google's Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device.

Bug can be exploited without user interaction

Jurczyk says the Qmage bug can be exploited in a zero-click scenario, without any user interaction. This happens because Android redirects all images sent to a device to the Skia library for processing -- such as generating thumbnail previews -- without a user's knowledge.
... ...