Samsung is patching this month a critical security issue affecting all its Android smartphones sold since 2014, beginning with Android 4.4.4 KitKat. A “zero-click” vulnerability, this newly discovered flaw could let a hacker wreak havoc on someone’s phone by simply sending a specific type of image, exploiting the device without any user action.
The vulnerability was discovered by Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, who discovered a way to exploit how Skia (the Android graphics library) handles Qmage image files (.qmg) sent to a device.
Jurczyk said the attack usually needs between 50 and 300 MMS messages to probe and bypass Android’s ASLR (Address Space Layout Randomization), which usually takes around 100 minutes, on average.
This flaw was patched in Samsung’s May 2020 Security Update for Android, so if you own a Samsung device from 2014 or later, make sure to install the update when you get it.
Read more about it here.