Samsung is patching a critical security issue affecting all Android smartphones dating back to 2014, including Galaxy phones. The newly discovered flaw, a "zero-click" vulnerability, could allow hackers to exploit the device without user action simply by sending certain types of images, wreaking havoc on the phone.

As reported by ZDNet, the vulnerability was discovered by Mateusz Jurczyk, a security researcher on Google's Project Zero team; Jurczyk said that the flaw is a flaw in Samsung phones from Android 4.4.4 KitKat He noted that it is related to how it handles the Qmage image format (.qmg), which is supported by all Galaxy devices since late 2014.

As Jurczyk showed in the video, this vulnerability allows hackers to take advantage of the Skia image library, where all images sent to an Android device are processed to create thumbnail previews, etc. This flaw does not exist in non-Samsung phones.

Jurczyk used Samsung's Messages app to send a series of multimedia SMS messages to Samsung devices.

Once the Skia library was located, the Qmage file was sent as the last multimedia message, allowing the attacker to attack the phone with malicious code. Since this is a zero-click attack, the user is immediately affected without having to open the message.

According to Jurczyk, this attack requires 50 to 300 multimedia messages to bypass Android's ASLR (Address Space Layout Randomization) protection and find vulnerable locations in system memory, which done in less than two hours, he said.

He also noted that he found a way to have MMS messages processed without triggering a notification.

This flaw is fixed in Samsung's May 2020 security update for Android, so if you own a Samsung device from 2014 or later, be sure to install the update when you get it.

Jurczyk stated that "All Samsung Android devices released since late 2014/early 2015, up to today's flagships, are affected by some or all of the Qmage-related bugs," which includes the Samsung Galaxy Note 4 and later, Galaxy S5 and later, and the entire Samsung Galaxy A (Alpha) series.