Samsung starting reporting the Qmage image format in the latter part of 2014, and it's been present ever since. What makes it a zero-click bug (i.e., does not require any interaction from the victim) is that when images are sent to a device, Android hands them over to the Skia library to be processed, for things like creating thumbnail images, and it happens behind the scenes.
Left unpatched, and attacker could ping a target handset with multiple multimedia SMS (MMS) messages in repeated attempts to guess where the Skia library resides in a phone's built-in memory. Once that is determined, the attacker could send malicious code under the guise (to the phone) of a Qmage image.
Jurczyk told ZDNet this typically entails between 50 and 300 MMS messages to discern the location and ultimately sidestep Android's ASLR (Address Space Layout Randomization) protection. And even though a high number of messages would usually trigger suspicion, they can be stealthily sent and processed by the target phone without any notifications.
Fortunately, Samsung was relatively quick to roll out a fix after being alerted to the flaw. So again, if you own a Galaxy handset—either a recent one or dating all the way back to something like the Galaxy Note 4 or Galaxy Note Edge (both released in late 2014)—then head over into your device's settings and manually check for an update.