All Samsung phones since 2014 vulnerable to scary 'zero-click' attack — what to do

Samsung Galaxy S20
(Image credit: Tom's Guide)

Samsung is patching a critical security issue affecting all its Android smartphones dating back to 2014, including Galaxy phones. A "zero-click" vulnerability, this newly discovered flaw could let a hacker wreak havoc on your phone by simply sending you a specific type of image, exploiting your device without any user action. 

As reported by ZDNet, this vulnerability was discovered by Mateusz Jurczyk, a security researcher on Google's Project Zero team. Jurczyk notes that this flaw has to do with how Samsung phones handle the Qmage image format (.qmg), which is supported on all Galaxy devices from late 2014 onward, beginning with Android 4.4.4 KitKat. 

How the attack works

As Jurczyk demonstrated in a video, this vulnerability could allow hackers to take advantage of the Skia image library, which all images sent to an Android device go through for processing to create things such as thumbnail previews. The flaw doesn't exist in non-Samsung phones.

Jurczyk used the Samsung Messages app by sending a series of multimedia SMS messages to a Samsung device, with each text attempting to find the location of the Skia library in the phone's memory. 

Once the Skia library is located, one final multimedia message is sent with a Qmage file, which can then attack a phone with malicious code. As this is a zero-click attack, users would immediately be impacted, even if they don't open the message.

According to Jurczyk, the attack would require between 50 and 300 multimedia messages to bypass Android's ASLR (Address Space Layout Randomization) protection and find the vulnerable spot in system memory, which could be done in less than 2 hours. 

He also notes that he's found ways to get the MMS messages processed without triggering a notification, meaning that this attack can happen without a user even getting a text alert. 

What to do if you're affected

This flaw was patched in Samsung's May 2020 Security Update for Android, so if you own a Samsung device from 2014 or later, make sure to install the update when you get it.

Jurczyk said that "all Samsung Android devices released since late 2014 / early 2015 up to today's flagships are affected by some or all of the Qmage-related bugs," which includes the Samsung Galaxy Note 4 and newer, Galaxy S5 and newer, and the entire Samsung Galaxy A (Alpha) series. 

Michael Andronico

Mike Andronico is Senior Writer at CNNUnderscored. He was formerly Managing Editor at Tom's Guide, where he wrote extensively on gaming, as well as running the show on the news front. When not at work, you can usually catch him playing Street Fighter, devouring Twitch streams and trying to convince people that Hawkeye is the best Avenger.

Latest in Samsung Phones
Samsung Galaxy S25 Edge next to Galaxy S25 Plus
Samsung Galaxy S25 Edge vs. Galaxy S25 Plus: Everything we know so far
Showing the front of a Galaxy S25 Ultra held in hand
One UI 7 will arrive late for US Samsung users — here’s when it’ll launch for you
samsung galaxy s25 edge mockup at galaxy unpacked
Galaxy S25 Edge is overhyped — I want Samsung to make this phone thinner instead
Samsung Galaxy S23 Ultra
Older Samsung phones are finally getting One UI 7 — here's all the devices
The iPhone 16 Pro Max (L) and Samsung Galaxy S25 Ultra rear cameras
I took 200 macro photos with Samsung Galaxy S25 Ultra vs. iPhone 16 Pro — here's the winner
Try Galaxy home screen on iPhone 16 Pro Max
You can now try Samsung's latest One UI 7 software on your iPhone — here's how
Latest in News
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
  • fs.gcs
    admin said:
    Samsung just patched a dangerous 'zero-click' vulnerability that allows hackers to attack phones with image files.

    All Samsung phones since 2014 vulnerable to scary 'zero-click' attack — what to do : Read more

    The 'scope' section of the Samsung Security Updates page defines what devices will get update and when. Anything older than a Galaxy 8 won't get the security update.
    Reply