Overview
- Researchers say CVE-2025-21042, an out‑of‑bounds write in Samsung’s libimagecodec.quram.so, was abused in the wild until Samsung patched it in April 2025.
- Malicious DNG images, reportedly sent over WhatsApp, triggered remote code execution without user interaction, with no new vulnerability found in WhatsApp itself.
- The exploit unpacked an embedded ZIP to deploy a loader (b.so, dubbed Bridge Head) and a SELinux policy manipulator (l.so) to elevate permissions and persist.
- Activity traced to at least July 2024 targeted Galaxy S22, S23, S24 and Z Fold/Flip 4 devices, enabling recording, location tracking, and exfiltration of photos, messages, contacts, logs and files.
- Attribution remains unconfirmed despite infrastructure similarities to Stealth Falcon; samples came from Morocco, Iran, Iraq and Turkey, and Turkey’s USOM flagged related C2 servers, with researchers tying the tactic to a broader wave of DNG-based exploits.