back to article One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch

Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices. It appears no user interaction is required: if Samsung's messaging app bundled with phones since 2015 receives a booby-trapped MMS, it will parse it automatically before the user even …

  1. Anonymous Coward

    Samsung 0 click details

    For details see

    Note that the article says it affects phones since 2014 rather than 2015.

    1. Blazde Silver badge

      Re: Samsung 0 click details

      Of course automatic thumbnail previews are part of the vector.

      I think eventually we'll discover the invention and widespread implementation of these was a highly successful conspiracy by malware authors carefully infiltrated into major software shops across the industry, since they serve no other obvious purpose.

  2. redpawn

    What are the chances

    this will happen to you by accident? No one is so mean spirited as to take advantage of this on purpose so don't worry.

    1. Pascal Monett Silver badge

      Re: What are the chances

      Your universe appears to be nice and comfy.

  3. Tom Chiverton 1

    Contract tracing framework still MiA then?

    1. Anonymous Coward
      Anonymous Coward

      MiA? It was installed yesterday on all Samsung phones made since 2015.

  4. TrumpSlurp the Troll

    Supported, supported, supported.........

    So nothing older than 18 months to 2 years?

  5. Sitaram Chamarty

    zero-click? I'm not so sure...

    I have a 4 years old Samsung "J2-6" (if I remember the model number right). I just checked in the Messages app, and under "Multimedia Messages" I see "Auto retrieve" is off.

    I'm pretty sure I would done that during a permisison sweep when I first got the phone, so granted, it may not be the default, but as it stands, I very much doubt this is "zero-click" for my phone.

    And since I know *no one* who would send an MMS (with Whatsapp being near ubiquitous) if I did get one I would probably just delete it sight-unseen.

    Now, if you can send this via Whatsapp... now that would be a story!

    1. Anonymous Coward
      Anonymous Coward

      Re: zero-click? I'm not so sure...

      You're hosed & don't even know it.

    2. Pascal Monett Silver badge

      Re: if I did get one I would probably just delete it sight-unseen

      I think you missed the part where it says "no user interaction is required".

      You don't need to open it for it to wreak havoc on your phone, it just needs to get to it. That's a bit of a problem. And that was an understatement.

      1. Sitaram Chamarty

        Re: if I did get one I would probably just delete it sight-unseen

        not when "auto-retrieve" is off.

        The message has not been retrieved.

  6. Giles C Silver badge

    Bug number

    There are two bug numbers quoted in this article

    Cve (common vulnerability and exposure) which is at 2020-12637 and covers most of the products out there

    Save (Samsung vulnerability and exposure) is at 2020-16747 which if I am reading this correctly Samsung has found more security bugs in its own products than the cve has listed for all security bugs....

    Wow..... unless I am reading the numbers wrong

    1. cbars Bronze badge

      Re: Bug number

      Might be different thresholds there. All CRs getting a number, for example, as within Samsung that's potentially a security hole so needs tracking. CVEs though, by definition, are bad flaws.

  7. Nate Amsden

    turn off auto mms download

    I did this after the first android media bug came out many years ago. There's been tons since and probably tons more in the future. Doesn't eliminate the vulnerability of course but allows you to ignore random mms from people you don't know which reduces the likelihood of getting hit probably by 99.999%.

    Kind of shocked at this point there isn't more protection or sandbox or something around the messages app. It's probably been at least 4 to 5 years since that first one made big news.

  8. stiine Silver badge

    Galaxy S7 here

    Does anyone else receive regular messages in what I presume is Sanskrit or Arabic? I only use the S7 as a phone or as a hotspot and the only connections I make through it are via tls1.2 or ipsec.

  9. Kevin McMurtrie Silver badge

    So much finger pointing

    Why is it that Google research teams can find complicated potential exploits but they can't find their own abusive customers? Abuse complaints have been filed and Google has even indexed the evidence from abuse tracking web sites. Is hosting a global army of phishers and scammers not a security threat?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like