• Introduction Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. • Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. • Investigation of these images showed that these images were DNG files targeting the Quram library, an image parsing library specific to Samsung devices. • On November 7, 2025 Unit 42 released a blogpost describing how these exploits were used and the spyware they dropped. • In this blogpost, we would like to focus on the technical details about how the exploits worked. • The exploited Samsung vulnerability was fixed in April 2025.
Article Summaries:
- A Google Threat Intelligence Group investigation uncovered a series of malicious DNG image files that appeared on VirusTotal between July 2024 and February 2025. The files targeted Samsung’s Quram image‑parsing library, exploiting a vulnerability that was patched in April 2025. Unit 42 released a blog post on November 7 2025 detailing how the images, delivered via WhatsApp, triggered the flaw when the com.samsung.ipservice system service scanned the MediaStore for AI features. The attack required only a single click to download the image, leading to a spyware payload. The post focuses on the technical mechanics of the scudo‑allocator exploit, a variant of the earlier jemalloc attack.
Sources: