Overview
- Researchers say the campaign ran from July 2024 into early 2025, abusing CVE-2025-21042, an out-of-bounds write in libimagecodec.quram.so that Samsung fixed in April 2025.
- Malicious DNG files, often appearing as WhatsApp images, triggered code execution without user interaction, with no new WhatsApp vulnerability identified.
- Samples and code references indicate targeting of Galaxy S22, S23, S24, Z Fold 4 and Z Flip 4 models, with VirusTotal uploads from Morocco, Iran, Iraq and Turkey.
- The exploit used an appended ZIP to drop a loader (b.so) and a SELinux policy manipulator (l.so), enabling persistence and extensive surveillance of audio, calls, location, photos, messages and logs.
- Attribution is unresolved despite infrastructure similarities to Stealth Falcon, and users are urged to install April 2025 or later Samsung updates and harden messaging app media settings.