Samsung Galaxy Smartphones Built After 2014 Are Vulnerable to Stealth Takeover via MMS

A critical vulnerability affecting all Samsung Galaxy phones released in the past six years was finally closed. A researcher found that a carefully crafted MMS message could have allowed an attacker to take full control of the device.

Smartphones are among the most powerful and predominant exponents of the Internet of Things (IoT) ecosystems. They contain a lot of sensitive data and are guardians of user privacy. When something goes wrong in terms of security, the effects are immediate and, depending on the popularity of the devices, the consequences are serious.

Project Zero researcher Mateusz Jurczyk found a vulnerability affecting all Samsung’s Android OS versions O(8.x), P(9.0) and Q(10.0) that would let an attacker remotely take control of the device, without any input from the user.

In case you didn’t know, Samsung Galaxy phones don’t run the default Android OS, but a modified version, which means that only the phones running it are affected. All Samsung Galaxy smartphones built after 2014 are vulnerable, without exception.

“There is a buffer overwrite vulnerability in the Quramqmg library of Samsung’s Android OS versions O(8.x), P(9.0) and Q(10.0),” reads the CVE entry.

“An unauthenticated, unauthorized attacker sending a specially crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction. ”

Basically, an attacker would only need to send its target an MMS containing a modified custom Samsung Qmage. The vulnerability affects the image codec library.

The biggest problem with this vulnerability is that it has a perfect CVE score of 10, which is given, among other things, by the fact that the remote code execution (RCE) is triggered without any user interaction.

Jurczyk also published a video demonstration of the vulnerability in action, although the proof of concept wasn’t made public. Samsung security updates released in May fix the problem, but it takes a long time before all devices are covered. Furthermore, some older devices are no longer supported and won’t receive the security patch.

There are some bits of good news, if we can call them that. A successful attack needs more than just one MMS. In fact, an attacker would need to send an average of 100 messages for the vulnerability to be successfully exploited, which takes a long time.

The only possible mitigation would be for Samsung Galaxy users to disable the “auto retrieve” option for multimedia messages in the Messages app until they apply the patch.