Samsung patches a critical exploit its smartphones had since 2014
The exploit was discovered (via ZDNet) by security researcher Mateusz Jurczyk at Google's Project Zero team of security analysts, who are tasked with finding zero-day vulnerabilities on a wide range of products.
As explained by Mateusz, the issue stems from an Android library named Skia that handles the loading and displaying of various image formats, including the aforementioned Qmage. How it handles Qmage can be exploited by sending MMS (Multimedia Messaging Service) messages to a Samsung device, which are received by Samsung's Messages app.
Mateusz notes that the process takes around 100 minutes, depending on factors such as how fast the user's GSM signal is, the amount of messages already on the device, and if Wi-Fi is enabled or not.
As for what the hacker gains after a successful attack, in the case of how Mateusz did it, it's full access to Samsung Messages, which means private user information such as call logs, contact list, microphone, storage access, messages and more.
Samsung patched the bug in its May 2020 security update, after Mateusz discovered it and reported it to the South Korean company in February.
Smartphones from other companies don't appear to be impacted by the exploit, as Samsung is the only company to support the custom Qmage format, which itself was developed in Samsung's home country of South Korea.