A zero-click vulnerability in Samsung mobile phones if exploited could allow a malicious actor to gain access to all the permissions and privileges associated with Samsung Messenger with no interaction by the user.

The problem only exists within Samsung phones running Android version 4.4.4 or later. This version was first offered in late 2014 but is still actively developed by the vendor with the latest version being pushed out on January 10, 2020 or just before Samsung was informed of the problem on January 28. Samsung publicly thanked Mateusz Jurczyk of Google Project Zero for finding the critical vulnerability, listed as SVE-2020-16747, a memory corruption issue in Qmage image codec built into Skia, an open-source 2D library that serves as the graphics engine across Google Chrome and OS, Android, Mozilla Firefox and Firefox OS, according to Skia.org.

Samsung issued a patch in May. If a device is not updated an attacker could possibly remotely execute arbitrary code execution, but the patch adds the proper validation to prevent memory overwrite. A successful attack would give the threat actor the same privileges as the owner and thus access to personal user information: call logs, contacts, microphone, storage and SMS.

Jurczyk reported on the Project Zero site that Skia is used to handle graphics, supporting all the major formats, for many mobile applications, including untrusted sources such as MMS, chat apps and emails.

“For instance, in my testing, the default Samsung Messages app processes the contents of incoming MMS messages without any user interaction, and I expect that other similar attack vectors exist,” he wrote. “Given its exposure and the fact that it is written in C++, Skia and its image-related components constitute remotely accessible interactionless attack surface on Android, potentially prone to memory safety issues.”

Noting Jurczyk’s find, Tripwire noted, “What makes such a vulnerability particularly concerning is the claim that it could be done without any user interaction, a ‘zero click’ scenario where – for instance – a vulnerable phone just generating a thumbnail preview for a notification message might actually allow an attack.”

A successful attack would not be a simple or quick task. Jurczyk estimated it would take a minimum of about 50 up to 300 MMS attacks for the vulnerability to be exploited. Many attacks are needed, he said, simply to defeat the address space layout randomization (ASLR) by taking advantage of several weaknesses of the ASLR implementation in Android. And each attack is somewhat time-consuming as each unsuccessful probe crashes the app which then takes 60 seconds to reboot so the number of attempts is actually an expression in minutes of how long it can take to exploit the vulnerability.