We have written several times already about the Android OS vulnerabilities that were found within the Google Zero project. And now, another serious vulnerability has been identified, which not only allows attackers to access SMS text messages, contacts, phone data, it can even give them complete control over a mobile device. This time, however, it is not a vulnerability in the Android operating system, but in the Quram library processing the image files. This library is predominantly used in Samsung mobile phones.
The issue has been solved by the last update issued this May, which is already available for Samsung mobile phones. This vulnerability can be found under the code SVE-2020-16747, or possibly under NVD CVE-2020-8899. It has been classified as critical, with temporary evaluation level of CVSS 10.0, i.e. the top possible one.According to the official statement released by Samsung, only models with the Android operating system version 8 and up are vulnerable. However, researcher Mateusz Jurczyk, who discovered this vulnerability, proved by his testing that Samsung models released in 2014 and later, i.e. with an older version of Android, are also vulnerable.
The vulnerability discovered in the Quram library lies in the way in which certain image formats are decoded. If an attacker manages to compile a "malicious" image and it is opened on a vulnerable phone, he can gain access to all the data accessible to the very application, which opened the picture. Let's take an MMS channel attack as an example. This was also presented by the researcher and is considered to be the most likely form of attack. An attacker sends a special picture via an MMS message. Immediately after it is opened by the application for reading SMS messages, the attacker gains access to everything that can be accessed by the given application. Thus, in most cases, this includes SMS messages, contacts, call logs, storage, and others. It always depends on the specific application permissions. However, it cannot be ruled out that an attacker could gain even higher privileges in case the image is decoded by some other application.
In reality, such attack is not so simple. First, an attacker must figure out the layout of the address space, which is "protected" on Android against exploitation of vulnerabilities by ASLR (Address Space Layout Randomization). The Proof of Concept of this attack took almost 2 hours and it was necessary to send more than 100 MMS messages. However, it cannot be ruled out that other vectors of attack may appear, reducing the required number of MMS messages and, in addition to that, preventing any notifications of the incoming message to be seen by the user. This type of attack has not been published yet, however, theoretically, it is possible.
Since the attack via the MMS channel is the most probable one, we recommend the following:
- To disable "MMS auto-retrieve" in your Messages app.
- To check the current OS Android version and, if need be, to install the patch with the fix as soon as possible.
Video Proof of Concept:
Please refer to:
The original vulnerability report including the list of tested devices: https://bugs.chromium.org/p/project-zero/issues/detail?id=2002
The attack Proof of Concept video: https://www.youtube.com/watch?v=nke8Z3G4jnc