Return to the list of client alerts
Samsung released a patch this month for a bug that has been around in all Samsung branded phones sold since 2014.
The bug is a zero-click vulnerability, meaning that the user does not need to do anything to allow an attacker to exploit the vulnerability.
The bug is in Samsung’s Qmage image format interpreter.
It does likely require the attacker to send a bunch of text messages to find the vulnerability, but the researcher says that this can be done quietly so the user is not aware.
The end game allows an attacker to execute whatever code he or she wants to on your phone.
Just so that you don’t think that the researchers are picking on Android (note that the research team is part of Google’s Project Zero, so this is really Google hacking itself), the same Project Zero folks found 14 zero-click bugs in Apple’s image processing framework.
But here are the big problems.
Unlike in the Apple world, users are dependent on the phone maker taking Google’s fix and testing it. Then the phone maker has to send the fix to all of the carriers. Then the carrier has to care enough to distribute the patch to their customers.
THE ONE EXCEPTION TO THIS IS GOOGLE BRANDED PHONES – PIXEL AND NEXUS. In that case Google is in control of the patches and pushes them out quickly.
The other problem is this is a bug that affects all Samsung phones sold since 2014. Samsung only patches phones for about two years from initial release. That means most of the affected phones will never be patched because there will be no patches released.
Google understands that this is a competitive disadvantage for them for a few knowledgeable consumers, but also for their brand.
As a result, starting with Android phones that ship from the factory with ANDROID 10 (meaning phones that were not updated to Android 10 after shipping, but came with Android 10 out of the box), Google is offering manufacturers a way for Google to update the phone without the manufacturer or carrier having to do anything. Carriers can opt out of this, but they would be stupid to do so. Still, you better ask.
My recommendations are:
(a) if you have a Samsung phone, see if there is a patch for it.
(b) the next phone you buy should either be one of Google Pixel phones -OR- a phone that ships with Android 10 from the factory and which the carrier has not opted out of Google’s offer.
Be a wise consumer. If you don’t care, neither will they. Credit: ZDNet
For businesses, understand that if your employees have a Samsung phone and that phone is not and maybe never will be patched, your data is at risk.