Samsung Patches Critical Android Vulnerability Exploited by Hackers
Samsung has addressed a severe security flaw impacting its Android devices, but not before cybercriminals managed to exploit the weakness. This vulnerability enabled remote code execution, posing a significant threat to affected users.
Details of the Vulnerability Affecting Samsung Devices
Identified as CVE-2025-21043, this security gap affects Android OS versions 13, 15, and 16 on Samsung hardware. The root cause lies in an out-of-bounds write flaw within libimagecodec.quram.so, a critical image parsing library used by Samsung devices to handle various image formats. Malicious actors could leverage this flaw to execute arbitrary code remotely, compromising device integrity. Samsung included a fix for this issue in its September security update.
Discovery and Reporting of the Flaw
The vulnerability was uncovered by security teams from Meta and WhatsApp on August 13, who promptly alerted Samsung. While Samsung has not specified which applications might trigger the vulnerable library, it acknowledged that any app processing images on Samsung devices-including WhatsApp-could potentially activate the exploit.
Connection to Broader Security Concerns Involving WhatsApp and Apple
Shortly after the discovery, Meta issued a security advisory highlighting the risk of attackers chaining this Samsung vulnerability with other flaws to conduct highly targeted attacks. Notably, Meta’s August WhatsApp update addressed CVE-2025-55717, a separate vulnerability that allowed unauthorized users to manipulate content processing from arbitrary URLs on victims’ devices.
Meta warned that this WhatsApp vulnerability, when combined with an Apple OS-level flaw (CVE-2025-43300), had likely been exploited in sophisticated attacks targeting specific individuals. Apple patched CVE-2025-43300 on August 20, which involved an out-of-bounds write in the ImageIO framework that could cause memory corruption when processing malicious images. Apple acknowledged reports of this flaw being used in highly advanced attacks against select targets.
Potential Exploitation on Samsung Android Devices
Although Meta’s advisory did not explicitly mention the Samsung Android vulnerability in its WhatsApp update, evidence suggests that CVE-2025-21043 could be combined with CVE-2025-55717 to mount similar targeted attacks on Samsung users. This raises concerns about cross-platform exploitation strategies leveraging image processing flaws.
Contextual Insights and Industry Implications
- WhatsApp has issued warnings about targeted attacks against specific users.
- NSO Group, a notorious spyware vendor, was ordered to pay Meta $168 million following litigation over WhatsApp-related spyware.
- The United States has emerged as the leading investor in surveillanceware technologies.
- Microsoft, Google, and Citizen Lab recently exposed a zero-day vulnerability exploited by government-grade spyware.
Responses and Ongoing Investigations
Samsung has yet to provide a detailed public response, and Meta declined to comment on whether CVE-2025-21043 was actively used in attacks targeting WhatsApp users on Samsung devices. Sources familiar with the matter indicate that the out-of-bounds write vulnerability in Samsung’s image processing library may have been exploited to remotely execute code on victims’ devices.
Attribution and Expert Analysis
The language used by both Meta and Apple-describing the attacks as “extremely sophisticated” and aimed at “specific targeted individuals”-alongside similar warnings from Amnesty International’s Security Lab, points toward involvement by commercial surveillanceware providers. Donncha O’Cearbhaill, head of Amnesty International’s Security Lab, raised concerns on August 29 about a zero-click vulnerability being exploited to compromise WhatsApp accounts on both iPhone and Android platforms, including civil society members.
O’Cearbhaill stated on social media, “Initial evidence suggests the WhatsApp attack affects users across iOS and Android, including activists and human rights defenders. Our team is actively investigating multiple cases linked to this campaign.”
