This article is more than 1 year old
One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch
Zero-click remote-code exec hole found by Googler, updates emitted
Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices.
It appears no user interaction is required: if Samsung's messaging app bundled with phones since 2015 receives a booby-trapped MMS, it will parse it automatically before the user even opens it. This will trigger a vulnerability in the Skia graphics library, used by the app to decode the message's embedded Qmage image. The end result is code execution on the device, allowing the miscreant who sent it to potentially snoop on their victim and come up with other mischief.
Today I'm happy to release new research I've been working on for a while: 0-click RCE via MMS in all modern Samsung phones (released 2015+), due to numerous bugs in a little-known custom "Qmage" image codec supported by Skia on Samsung devices. Demo: https://t.co/8KRIhy4Fpk— j00ru//vx (@j00ru) May 6, 2020
Samsung has pushed out updates to supported phones to squash the bug, which should be installed ASAP before someone weaponizes an exploit for this programming blunder. If you are still waiting for a patch, switching your default message app to another messaging application, and not Samsung's, and disabling automatic MMS parsing, may help.
The patch coincides with Android's monthly release of security fixes: all owners of devices running supported versions of Android will want to check for and install relevant updates in May's patch batch.
This latest wedge includes fixes for a remote code execution flaw in the Android AAC decoder (CVE-2020-0103) and a critical Android framework elevation-of-privilege bug (CVE-2020-0096) that together can be exploited to gain total control of the device.
The other vulnerabilities at the 01 patch level are as follows. For the Android framework, two additional elevation-of-privilege bugs (CVE-2020-0097, CVE-2020-0098) that grant malware already on the device not-quite-total control over a device, and for the media framework, one EoP flaw (CVE-2020-0094) and three information disclosure bugs (CVE-2020-0093, CVE-2020-0100, CVE-2020-0101).
The Android system patches cover the aforementioned AAC remote code bug as well as four EoP (CVE-2020-0102, CVE-2020-0109, CVE-2020-0105, CVE-2020-0024) and three information disclosure bugs (CVE-2020-0092, CVE-2020-0106, CVE-2020-0104) holes.
At the 05 level, patches for components outside of the core Android package, fixes were posted for two kernel flaws allowing EoP (CVE-2020-0110) and information disclosure (CVE-2019-19536). Four fixes were posted for information disclosure bugs in MediaTek components (CVE-2020-0064, CVE-2020-0065, CVE-2020-0090, CVE-2020-0091).
A total of 18 patches were posted for flaws in Qualcomm components, though the details on those bugs were not given.
Those with supported Google-branded devices should get the May fixes directly from the Chocolate Factory, while other Android devices should see the fixes come from their respective vendors and carriers. This can happen anywhere from immediately to several weeks from now, to never, depending on the supplier. ®