Saturday, September 13, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Samsung fixes Android 0-day that may have been used to spy on WhatsApp messages

TH Author

Samsung has fixed a critical flaw that affects its Android devices – but not before attackers found and exploited the bug, which could allow remote code execution on affected devices.

The vulnerability, tracked as CVE-2025-21043, affects Android OS versions 13, 14, 15, and 16. It’s due to an out-of-bounds write vulnerability in libimagecodec.quram.so, a parsing library used to process image formats on Samsung devices, which remote attackers can abuse to execute malicious code.

“Samsung was notified that an exploit for this issue has existed in the wild,” the electronics giant noted in its September security update.

The Meta and WhatsApp security teams found the flaw and reported it to Samsung on August 13. Apps that process images on Samsung kit, potentially including WhatsApp, may trigger this library, but Samsung didn’t name specific apps.

The warning is interesting, because Meta shortly thereafter issued a security advisory warning that attackers may have chained a WhatsApp bug with an Apple OS-level flaw in highly targeted attacks.

The WhatsApp August security update included a fix for CVE-2025-55177 that, as Meta explained, “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.”

That security advisory went on to say, “We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.”

CVE-2025-43300 is an out-of-bounds write issue that Apple addressed on August 20 with a patch that improves bounds checking in the ImageIO framework. “Processing a malicious image file may result in memory corruption,” the iThings maker said at the time. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

While Meta didn’t mention the newer Android OS-level flaw in its August WhatsApp security update, it seems that CVE-2025-21043 could also be chained to CVE-2025-55177 for a similar attack targeting WhatsApp users on Samsung Android devices instead of Apple’s.

Samsung did not immediately respond, and Meta declined to answer The Register‘s questions, including whether CVE-2025-21043 was used in attacks targeting WhatsApp users with Samsung phones.

According to a source familiar with the matter, however, an out-of-bounds write vulnerability in a particular library on Samsung devices may have been exploited to target WhatsApp users and remotely execute code on their devices.

In the August alerts, neither Meta nor Apple detailed who was behind these intrusions. 

The companies’ words – “extremely sophisticated attack against specific targeted individuals” – along with a similar warning from Amnesty International’s security boss, suggest a commercial surveillanceware vendor is to blame.

Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, on August 29 sounded the alarm on a zero-click exploit being used to hack WhatsApp users. 

“Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them,” he said on social media. “Our team at Amnesty International’s Security Lab is actively investigating cases with a number of individuals targeted in this campaign.” ®

READ MORE HERE