A look at an Android ITW DNG exploit

Between July 2024 and February 2025, crafted DNG images uploaded to VirusTotal (and observed in the wild) exploited a bounds/plane validation bug in the Quram image decoder used by Samsung's com.samsung.ipservice to achieve remote code execution; attackers used opcode-based heap primitives, ASLR bypass via crafted MapTable substitution tables, and a JOP chain to invoke system() and drop/run a spyware agent (payload staged as a polyglot DNG/ZIP). Samsung issued a fix in April 2025 and the issue was later tracked as CVE-2025-21042.