Samsung Fixes Android 0-Day that May Have Been Used to Spy on WhatsApp Messages

Samsung Fixes Android 0-Day that May Have Been Used to Spy on WhatsApp Messages

Samsung has fixed a critical flaw in its Android devices, but not before attackers found and exploited the bug, which could allow remote code execution on affected devices. The vulnerability, tracked as CVE-2025-21043, affects Android OS versions 13, 14, 15, and 16.

The issue is due to an out-of-bounds write vulnerability in libimagecodec.quram.so, a parsing library used to process image formats on Samsung devices. This library can be abused by remote attackers to execute malicious code.

"Samsung was notified that an exploit for this issue has existed in the wild," the electronics giant noted in its September security update. The company's swift action comes after Meta and WhatsApp security teams found the flaw and reported it to Samsung on August 13.

Apps that process images on Samsung kits, potentially including WhatsApp, may trigger this library, but Samsung didn't name specific apps. However, a similar vulnerability was recently discovered in Apple devices, CVE-2025-43300, which could also be chained with the new Android OS-level flaw to target users.

Meta shortly thereafter issued a security advisory warning that attackers may have chained a WhatsApp bug with an Apple OS-level flaw in highly targeted attacks. The WhatsApp August security update included a fix for CVE-2025-55177, which, as Meta explained, "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device."

Processing a malicious image file may result in memory corruption, according to Apple. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said.

While Meta didn't mention the newer Android OS-level flaw in its August WhatsApp security update, it seems that CVE-2025-21043 could also be chained to CVE-2025-55177 for a similar attack targeting WhatsApp users on Samsung Android devices instead of Apple's.

Samsung did not immediately respond to The Register's questions, including whether CVE-2025-21043 was used in attacks targeting WhatsApp users with Samsung phones. However, according to a source familiar with the matter, an out-of-bounds write vulnerability in a particular library on Samsung devices may have been exploited to target WhatsApp users and remotely execute code on their devices.

In the August alerts, neither Meta nor Apple detailed who was behind these intrusions. The companies' words - "extremely sophisticated attack against specific targeted individuals" - along with a similar warning from Amnesty International's security boss, suggest a commercial surveillanceware vendor is to blame.

"Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them," said Donncha Ó Cearbhaill, the head of Amnesty International's Security Lab. "Our team at Amnesty International's Security Lab is actively investigating cases with a number of individuals targeted in this campaign."

Amnesty International sounded the alarm on a zero-click exploit being used to hack WhatsApp users on August 29. The organization is actively working to investigate and address these incidents.