Samsung this week released a security update to fix a serious vulnerability affecting all of its smartphones sold since 2014, and the security flaw lies in how Samsung devices deal with image format (Qmage), which South Korean giant phones began to support on all of their devices sold since late in the year 2014.
The security researcher in the Project Zero team from Google, Matthew Gorschik, discovered a way to exploit how the Android graphics library called (Skia) handles Qmage images sent to the device, and this security flaw can be exploited without the users' knowledge or without any kind of interaction with the device.
Samsung has recognized the security issue, as the May security update contains the fix, but it is not certain whether the fix will be rolled out to all affected devices.
According to Gorschik, the Android system redirects all images to the Skia library for processing - such as producing thumbnail previews - without the user's knowledge once a Samsung user receives an image file via the Samsung Messages app, and Qmage image files can be exploited because they reveal The location of the (Skia) library in the phone's memory.
He explained that the attack is adjustable so that it can be executed without alerting the user, and continued, "I found ways to handle MMS messages completely without triggering the alert sound on the Android system, so it may be possible to launch completely hidden attacks."
He discovered the security vulnerability in February and reported it to Samsung, which in turn corrected the error in the May 2020 security updates.