While iOS image-based exploits have received significant public analysis, Android-specific one-shot exploits have historically seen less public documentation. This presentation offers a technical autopsy of an exploit targeting the Samsung-specific Quram image parsing library, used in the wild between late 2024 and early 2025. The attack utilized a crafted DNG file delivered via WhatsApp to achieve remote code execution.
We will examine the memory corruption bug within the proprietary library, the process of turning this into remote code execution, and the techniques used to defeat modern Android mitigations. This analysis aims to contribute further technical detail to the public understanding of vendor-specific mobile exploitation.
Benoît Sevens is a security engineer at Google. As part of the Google Threat Intelligence Group (and formerly Google TAG), he uncovers and dissects in-the-wild zero-day exploits across various vendors and products.
