All Samsung phones since 2014 vulnerable to scary 'zero-click' attack — what to do

Samsung Galaxy S20
(Image credit: Tom's Guide)

Samsung is patching a critical security issue affecting all its Android smartphones dating back to 2014, including Galaxy phones. A "zero-click" vulnerability, this newly discovered flaw could let a hacker wreak havoc on your phone by simply sending you a specific type of image, exploiting your device without any user action. 

As reported by ZDNet, this vulnerability was discovered by Mateusz Jurczyk, a security researcher on Google's Project Zero team. Jurczyk notes that this flaw has to do with how Samsung phones handle the Qmage image format (.qmg), which is supported on all Galaxy devices from late 2014 onward, beginning with Android 4.4.4 KitKat. 

How the attack works

As Jurczyk demonstrated in a video, this vulnerability could allow hackers to take advantage of the Skia image library, which all images sent to an Android device go through for processing to create things such as thumbnail previews. The flaw doesn't exist in non-Samsung phones.

Jurczyk used the Samsung Messages app by sending a series of multimedia SMS messages to a Samsung device, with each text attempting to find the location of the Skia library in the phone's memory. 

Once the Skia library is located, one final multimedia message is sent with a Qmage file, which can then attack a phone with malicious code. As this is a zero-click attack, users would immediately be impacted, even if they don't open the message.

According to Jurczyk, the attack would require between 50 and 300 multimedia messages to bypass Android's ASLR (Address Space Layout Randomization) protection and find the vulnerable spot in system memory, which could be done in less than 2 hours. 

He also notes that he's found ways to get the MMS messages processed without triggering a notification, meaning that this attack can happen without a user even getting a text alert. 

What to do if you're affected

This flaw was patched in Samsung's May 2020 Security Update for Android, so if you own a Samsung device from 2014 or later, make sure to install the update when you get it.

Jurczyk said that "all Samsung Android devices released since late 2014 / early 2015 up to today's flagships are affected by some or all of the Qmage-related bugs," which includes the Samsung Galaxy Note 4 and newer, Galaxy S5 and newer, and the entire Samsung Galaxy A (Alpha) series. 

Michael Andronico

Mike Andronico is Senior Writer at CNNUnderscored. He was formerly Managing Editor at Tom's Guide, where he wrote extensively on gaming, as well as running the show on the news front. When not at work, you can usually catch him playing Street Fighter, devouring Twitch streams and trying to convince people that Hawkeye is the best Avenger.

Latest in Samsung Phones
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 tipped for a huge outer screen upgrade — here’s what we know
Galaxy Z Fold 6 shown in hand
Samsung just killed the crease with this breakthrough foldable phone display
Samsung Galaxy S25 Ultra astrophotography.
I tried astrophotography on my Galaxy S25 Ultra and I’m not impressed — here’s why
samsung galaxy s25 edge at mwc 2025
I just saw the Samsung Galaxy S25 Edge up close — and I'm not impressed
Samsung Galaxy A36 back in Lime
Samsung Galaxy A36 and Galaxy A26 debut — bringing more AI to inexpensive phones
Samsung Galaxy A56 back in Light Grey
Samsung Galaxy A56 hands-on review: Watch out, Pixel 9a
Latest in News
Adam Scott in "Severance," now streaming on Apple TV Plus.
'Severance' season 2 finale runtime just revealed — expect a violent finale
Meta Ray-Ban smart glasses next to AirPods Pro 2
New report says Apple is working on Meta-style smart glasses and AirPods with cameras
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Crystle Stewart as Mallory in Tyler Perry's "Beauty in Black" on Netflix
Tyler Perry’s suspenseful drama series just crashed the Netflix top 10 — and you can stream new episodes now
JBL Charge 6 on beach
JBL just launched two new Bluetooth speakers with lossless audio — and my fave has 20 hours of battery life
ExpressVPN connected on Linux app
ExpressVPN launches huge Linux update – what you need to know
  • fs.gcs
    admin said:
    Samsung just patched a dangerous 'zero-click' vulnerability that allows hackers to attack phones with image files.

    All Samsung phones since 2014 vulnerable to scary 'zero-click' attack — what to do : Read more

    The 'scope' section of the Samsung Security Updates page defines what devices will get update and when. Anything older than a Galaxy 8 won't get the security update.
    Reply