Full Report
Introduction Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Investigation of these images showed that these images were DNG files targeting the Quram library, an image parsing library specific to Samsung devices. On November 7, 2025 Unit 42 released a blogpost describing how these exploits were used and the spyware they dropped. In this blogpost, we would like to focus on the technical details about how the exploits worked. The exploited Samsung vulnerability was fixed in April 2025. There has been excellent prior work describing image-based exploits targeting iOS, such as Project Zero’s writeup on FORCEDENTRY. Similar in-the-wild “one-shot” image-based exploits targeting Android have received less public documentation, but we would definitely not argue it is because of their lack of existence. Therefore we believe it is an interesting case study to publicly document the technical details of such an exploit on Android.
Analysis Summary
# Vulnerability: Arbitrary Code Execution via DNG Parsing in Samsung Quram Library
## CVE Details
- CVE ID: Not explicitly listed in the provided text. (Vendor patch released April 2025).
- CVSS Score: Not explicitly listed in the provided text.
- CWE: Not explicitly listed in the provided text, but implied to be related to memory corruption (Heap/Buffer overflow) during image parsing.
## Affected Systems
- Products: Samsung devices utilizing the Quram image parsing library.
- Versions: Versions prior to the April 2025 patch. (Specific version numbers are not provided).
- Configurations: Devices where the `com.samsung.ipservice` process is running and actively parsing media store content.
## Vulnerability Description
The vulnerability resides within the Quram library, an image parsing library specific to Samsung devices, which is utilized by the `com.samsung.ipservice` system process. This process periodically scans and parses images/videos in the Android MediaStore. Malicious DNG (Digital Negative) image files, when parsed, trigger a memory corruption bug identified as "quite shallow." This bug was leveraged to corrupt image dimensions. By corrupting the bounds of the pixel buffer, the rest of the exploit chained legitimate DNG specification features (a "weird machine") to bypass mitigations and achieve reliable code execution.
## Exploitation
- Status: Exploited in the wild (Between July 2024 and February 2025).
- Complexity: The text implies the initial bug is simple, but the subsequent chain requires technical skill, although the DNG format provides powerful out-of-the-box primitives. The context suggests successful exploitation was achieved through a "1-click" scenario (target must click the image after receipt via WhatsApp).
- Attack Vector: Adjacent (via mediated application like WhatsApp delivering the malicious file, requiring minimal user interaction).
## Impact
- Confidentiality: High (Spyware dropped, targeting access to MediaStore content).
- Integrity: High (Arbitrary code execution within a system process).
- Availability: Potential
(Implicitly high, as successful exploitation leads to spyware installation/system compromise).
## Remediation
### Patches
- The exploited Samsung vulnerability was fixed in **April 2025**. (Specific patch version/build reference is not provided).
### Workarounds
- No explicit vendor workarounds were provided in the text.
- **Mitigation Notes:** The analysis suggests that modern memory safety protections like MTE (Memory Tagging Extension) would likely have prevented both the initial vulnerability trigger and the subsequent exploitation primitives.
## Detection
- **Indicators of Compromise:** Receipt of suspicious DNG files disguised as JPEGs (e.g., filenames referencing WhatsApp downloads from July 2024 - Feb 2025).
- **Detection Methods and Tools:** Analysis of the targeted process (`com.samsung.ipservice`) activity following image ingestion. Specific indicators relate to the memory corruption primitives used (e.g., unexpected Out-Of-Bounds operations on `MapTable` and `DeltaPerColumn` structures within Quram processing).
## References
- Unit 42 Blogpost describing usage: hxxps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/
- Related Project Zero iOS analysis: hxxps://projectzero.google/2021/12/a-deep-dive-into-nso-zero-click.html
- Project Zero Transparency Reporting: hxxps://projectzero.google/reporting-transparency.html
- Follow-up Quram discoveries: hxxps://googleprojectzero.blogspot.com/p/reporting-transparency.html