If you own a Samsung Galaxy handset produced in 2014 or later (which includes this year’s Galaxy S20 line), make sure that you install the monthly security update ASAP. That’s because of a “zero-click” vulnerability that could allow an attacker to load malicious code on your phone. According to ZDNet, Mateusz Jurczyk, a researcher with Google’s Project Zero team, discovered that on Samsung phones the process used by Android’s Skia graphic library to handle images in the Qmage graphic format (.qmg) has a bug that could be exploited by a bad actor.

To make matters worse, the zero-click designation means that the user does not have to interact with any particular part of the phone for the device to be exploited. When an Android phone is sent an image, it is redirected to the Skia image library for processing without the user’s knowledge. Jurczyk created a video of his proof of concept demo that showed the exploit in the Samsung Messages app. The researcher tested the exploit by repeatedly sending MMS messages to a Samsung handset while trying to bypass the protective ASLR (Address Space Layout Randomization) security technique. It took him 100 minutes and required him to send 50 to 300 MMS messages to bypass ASLR. “I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible,” Jurczyk said.

The recent security update disseminated by Samsung has this exploit designated as SVE-2020-16747 and Jurczyk’s report on the Project Zero site can be found here. Recently, Project Zero also found multiple vulnerabilities in Image I/O, used for parsing and working with image files on all Apple operating systems. These have been patched.