Samsung has released a security update for its popular Android smartphones which includes a critical fix for a vulnerability that affects all devices sold by the manufacturer since 2014.

On its Android security update page Samsung thanks researcher Mateusz Jurczyk of Google Project Zero for the discovery of the vulnerability that could – he claims – be exploited to run malicious code on a targeted device, without alerting the user.

Such an attack, if successful, could result in a remote hacker gaining access to a wide variety of information – including a user’s call logs, address book, SMS archive, and so forth.

In a video posted on YouTube, the researcher demonstrates how the vulnerability could be exploited by a malicious hacker sending a boobytrapped image to the device via MMS.

The poisoned file is a custom Samsung Qmage (or QMG) image, that exploits a vulnerability in the image codec library code used on Samsung smartphones to overwrite memory and allow possible remote code execution.

What makes such a vulnerability particularly concerning is the claim that it could be done without any user interaction, a “zero click” scenario where – for instance – a vulnerable phone just generating a thumbnail preview for a notification message might actually allow an attack.

And don’t imagine that even if a notification message might not appear your smartphone would still set off a sound as a poisoned message was received. According to the researcher, although his video’s proof-of-concept demonstration makes no attempt to be silent or stealthy, “after some brief experimentation, I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible.”

According to Jurczyk’s write-up on the Project Zero website, the code used to handle QMG files is (Read more...)