Google's Threat Intelligence Group investigated image files uploaded to VirusTotal, linked to WhatsApp. These files, appearing as JPEGs, were actually DNG files exploiting a vulnerability in Samsung's Quram image parsing library. The targeted process was com.samsung.ipservice, a Samsung service for AI-powered features that parses images in the MediaStore. WhatsApp's handling of images meant the exploit could be triggered by opening a received image, making it a potential "1-click" exploit. Analysis revealed the DNG files contained suspicious "opcode lists" with numerous opcodes, deviating from expected DNG standards. The Quram library, a third-party product, handles image format decoding, and the vulnerability lies within Java_com_quramsoft_images_QuramDngBitmap_DecodeDNGImageBufferJNI. The exploit utilized malformed DNG files to trigger memory corruption within this specific native function. The exploit's goal was to execute code within the com.samsung.ipservice process. The exploit targets the scudo allocator.