Samsung launched its May 2020 security update kit for Android smartphones this week, which includes a crucial vulnerability fix that has affected all of its devices since 2014.
In addition to the patches in the Android Security Bulletin – May 2020, the handset maker’s patch updates 19 vulnerabilities unique to Samsung smartphones. The most prominent of these are the two crucial vulnerabilities in the stable bootloader and the Quram qmg decoding library.
The first problem is a heap-based buffer overflow that could cause a stable boot to be bypassed and potentially result in arbitrary code execution. Samsung says it addressed the bug with proper validation, but does not provide further details about the vulnerability.
The second security flaw is the memory overwrite issue that could result in the remote execution of arbitrary code that resides in the Quram qmg library.
The bug appears to affect all Samsung smartphones released since 2014, when the company added support for the custom Qmage image format (.qmg) developed by Korean third-party company Quramsoft.
Discovered by Google Project Zero Security Researcher Mateusz Jurczyk, this vulnerability can be exploited through malicious MMS (multimedia) messages without user interaction. The 0-click MMS exploit proof-of-concept video demonstration is now available (but not the exploit code).
The researcher says that since there are four major versions of Qmage, Samsung’s Android smartphones released since late 2014/early 2015 have been affected to varying degrees. The most recent devices are likely to be affected by the largest number of issues, including support for all versions of Qmage.
The researcher used the bug on the Samsung smartphone running Android 10 (with patches installed in February 2020) with the default Samsung Messages device set as the SMS / MMS handler.
“The insecure codec runs input images in the sense of the attacked device processing, so that the attacker even gets the privileges of the app. In the case of my example, that’s Samsung Messages, which has access to a variety of personal user information: call logs, addresses, microphone, data, SMS, etc, “says Jurczyk.
Only Samsung devices are affected, because the vulnerable piece of software is delivered only on company devices.
High severity bugs the South Korean phone maker patched this month include arbitrary code execution in the Quram library with jpeg decoding, possible brute force attack in the Gatekeeper Trustlet, and possible spoofing in the selected Broadcom Bluetooth chipset (which uses PRNG with low entropy).
Samsung did not provide details on all vulnerabilities addressed this month, but found that it had fixed five low-severity flaws: leakage of clipboard information via USSD in locked state, possible heap overflow in bootloader, unauthorized change of preferred SIM card in locked state, possible relative buffer write in S.LSI Wi-Fi drivers, and FRP bypass with SPEN.
