Samsung fixes Android 0-day that may have been used to spy on WhatsApp messages

#### [Patches](/security/patches/)**3** Samsung fixes Android 0-day that may have been used to spy on WhatsApp messages===============================================================================**3** A similar vuln on Apple devices was used against ‘specific targeted users’————————————————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 12 Sep 2025 // 19:27 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Samsung%20fixes%20Android%200-day%20that%20may%20have%20been%20used%20to%20spy%20on%20WhatsApp%20messages) [](https://twitter.com/intent/tweet?text=Samsung%20fixes%20Android%200-day%20that%20may%20have%20been%20used%20to%20spy%20on%20WhatsApp%20messages&url=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Samsung%20fixes%20Android%200-day%20that%20may%20have%20been%20used%20to%20spy%20on%20WhatsApp%20messages&summary=A%20similar%20vuln%20on%20Apple%20devices%20was%20used%20against%20%27specific%20targeted%20users%27) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Samsung has fixed a critical flaw that affects its Android devices – but not before attackers found and exploited the bug, which could allow remote code execution on affected devices.The vulnerability, tracked as CVE-2025-21043, affects Android OS versions 13, 14, 15, and 16. It’s due to an out-of-bounds write vulnerability in libimagecodec.quram.so, a parsing library used to process image formats on Samsung devices, which remote attackers can abuse to execute malicious code.’Samsung was notified that an exploit for this issue has existed in the wild,’ the electronics giant noted in its [September security update](https://security.samsungmobile.com/securityUpdate.smsb). ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/patches&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMVA7c0vZNFTl2_6zwdl3QAAAJU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)The Meta and WhatsApp security teams found the flaw and reported it to Samsung on August 13. Apps that process images on Samsung kit, potentially including WhatsApp, may trigger this library, but Samsung didn’t name specific apps. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/patches&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMVA7c0vZNFTl2_6zwdl3QAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)The warning is interesting, because Meta shortly thereafter issued a security advisory warning that attackers may have chained a WhatsApp bug with an Apple OS-level flaw [in highly targeted attacks](https://www.theregister.com/2025/09/01/infosec_in_brief/).The WhatsApp August security update included a fix for CVE-2025-55177 that, as Meta explained, ‘could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/patches&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMVA7c0vZNFTl2_6zwdl3QAAAJU&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)That security advisory [went on to say,](https://www.whatsapp.com/security/advisories/2025/) ‘We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.’CVE-2025-43300 is an out-of-bounds write issue that Apple addressed on August 20 with a patch that improves bounds checking in the ImageIO framework. ‘Processing a malicious image file may result in memory corruption,’ the iThings maker [said](https://support.apple.com/en-us/124925) at the time. ‘Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.’While Meta didn’t mention the newer Android OS-level flaw in its August WhatsApp security update, it seems that CVE-2025-21043 could also be chained to CVE-2025-55177 for a similar attack targeting WhatsApp users on Samsung Android devices instead of Apple’s.* [WhatsApp warns of ‘attack against specific targeted users’](https://www.theregister.com/2025/09/01/infosec_in_brief/)* [Super spyware maker NSO must pay Meta $168M in WhatsApp court battle](https://www.theregister.com/2025/05/06/nso_group_meta_verdict/)* [We’re number 1! America now leads the world in surveillanceware investment](https://www.theregister.com/2025/09/11/us_surveillanceware_investment/)* [Microsoft, Google, Citizen Lab blow lid off zero-day bug-exploiting spyware sold to governments](https://www.theregister.com/2021/07/16/microsoft_candiru_malware/)Samsung did not immediately respond, and Meta declined to answer *The Register*’s questions, including whether CVE-2025-21043 was used in attacks targeting WhatsApp users with Samsung phones.According to a source familiar with the matter, however, an out-of-bounds write vulnerability in a particular library on Samsung devices may have been exploited to target WhatsApp users and remotely execute code on their devices.In the August alerts, neither Meta nor Apple detailed who was behind these intrusions.The companies’ words – ‘extremely sophisticated attack against specific targeted individuals’ – along with a similar warning from Amnesty International’s security boss, suggest a [commercial surveillanceware vendor](https://www.theregister.com/2025/09/11/us_surveillanceware_investment/) is to blame.Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, on August 29 [sounded the alarm](https://x.com/DonnchaC/status/1961444710620303653) on a zero-click exploit being used to hack WhatsApp users.’Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them,’ he said on social media. ‘Our team at Amnesty International’s Security Lab is actively investigating cases with a number of individuals targeted in this campaign.’ ® [Sponsored: Rethinking application delivery for the hybrid world](https://go.theregister.com/tl/3243/shttps://www.theregister.com/2025/09/09/rethinking_application_delivery_hybrid/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Samsung%20fixes%20Android%200-day%20that%20may%20have%20been%20used%20to%20spy%20on%20WhatsApp%20messages) [](https://twitter.com/intent/tweet?text=Samsung%20fixes%20Android%200-day%20that%20may%20have%20been%20used%20to%20spy%20on%20WhatsApp%20messages&url=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Samsung%20fixes%20Android%200-day%20that%20may%20have%20been%20used%20to%20spy%20on%20WhatsApp%20messages&summary=A%20similar%20vuln%20on%20Apple%20devices%20was%20used%20against%20%27specific%20targeted%20users%27) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Android](/Tag/Android/)* [Cybercrime](/Tag/Cybercrime/)* [Patch](/Tag/Patch/) More like these × ### More about* [Android](/Tag/Android/)* [Cybercrime](/Tag/Cybercrime/)* [Patch](/Tag/Patch/)* [Samsung](/Tag/Samsung/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Patch Tuesday](/Tag/Patch%20Tuesday/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Pixel](/Tag/Pixel/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Samsung Galaxy](/Tag/Samsung%20Galaxy/)* [Samsung Galaxy Ace](/Tag/Samsung%20Galaxy%20Ace/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Google](/Tag/Google/)* [Operating System](/Tag/Operating%20System/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Samsung%20fixes%20Android%200-day%20that%20may%20have%20been%20used%20to%20spy%20on%20WhatsApp%20messages) [](https://twitter.com/intent/tweet?text=Samsung%20fixes%20Android%200-day%20that%20may%20have%20been%20used%20to%20spy%20on%20WhatsApp%20messages&url=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Samsung%20fixes%20Android%200-day%20that%20may%20have%20been%20used%20to%20spy%20on%20WhatsApp%20messages&summary=A%20similar%20vuln%20on%20Apple%20devices%20was%20used%20against%20%27specific%20targeted%20users%27) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **3** COMMENTS #### More about* [Android](/Tag/Android/)* [Cybercrime](/Tag/Cybercrime/)* [Patch](/Tag/Patch/) More like these × ### More about* [Android](/Tag/Android/)* [Cybercrime](/Tag/Cybercrime/)* [Patch](/Tag/Patch/)* [Samsung](/Tag/Samsung/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Patch Tuesday](/Tag/Patch%20Tuesday/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Pixel](/Tag/Pixel/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Samsung Galaxy](/Tag/Samsung%20Galaxy/)* [Samsung Galaxy Ace](/Tag/Samsung%20Galaxy%20Ace/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Google](/Tag/Google/)* [Operating System](/Tag/Operating%20System/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Android drops mega patch bomb – 120 fixes, two already exploitedSeptember bundle the largest this year, and possibly the most seriousPatches10 days -| 13](/2025/09/03/android_patch_september/?td=keepreading) [#### Boffins build automated Android bug hunting systemAI agent system said to have found more than 100 zero-day flaws in production appsSecurity8 days -| 4](/2025/09/04/boffins_build_automated_android_bug_hunting/?td=keepreading) [#### Crims claim HexStrike AI penetration tool makes quick work of Citrix bugsLLMs and 0-days – what could possibly go wrong?Cyber-crime10 days -| 7](/2025/09/03/hexstrike_ai_citrix_exploits/?td=keepreading) [#### Rethinking application delivery for the hybrid worldWhy bake apps into your OS when you can deliver them as a side dish?Sponsored feature](/2025/09/09/rethinking_application_delivery_hybrid/?td=keepreading) [#### Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacksPatch, turn on MFA, and restrict access to trusted networks…or elseCyber-crime2 days -|](/2025/09/10/akira_ransomware_abusing_sonicwall/?td=keepreading) [#### Frostbyte10 bugs put thousands of refrigerators at major grocery chains at riskMajor flaws uncovered in Copeland controllers: Patch nowPatches11 days -| 47](/2025/09/02/frostbyte10_copeland_controller_bugs/?td=keepreading) [#### How big will this Drift get? Cloudflare cops to Salesloft Drift breachShow of hands: who WASN’T targeted?Cyber-crime11 days -| 8](/2025/09/02/cloudflare_salesloft_drift_breach/?td=keepreading) [#### Zscaler latest victim of Salesloft Drift attacks, customer data exposedJoins Google, Palo Alto Networks in the ever-growing supply chain compromiseCyber-crime11 days -| 3](/2025/09/02/zscaler_customer_data_drift_compromise/?td=keepreading) [#### It looks like you’re ransoming data. Would you like some help?AI-powered ransomware, extortion chatbots, vibe hacking … just wait until agents replace affiliatesCyber-crime10 days -|](/2025/09/03/ransomware_ai_abuse/?td=keepreading) [#### Hijacker helper VoidProxy boosts Google, Microsoft accounts on demandOkta uncovers new phishing-as-a-service operation with ‘multiple entities’ falling victimCyber-crime2 days -| 1](/2025/09/11/voidproxy_phishing_service/?td=keepreading) [#### AI-powered penetration tool, an attacker’s dream, downloaded 10K times in 2 monthsShady, China-based company, all the apps needed for a fully automated attack – sounds totally legitResearch2 days -|](/2025/09/11/cobalt_strikes_ai_successor_downloaded/?td=keepreading) [#### Apple slips up on ChillyHell macOS malware, lets it past security . . . for 4 years’We do believe that this was likely the creation of a cybercrime group,’ threat hunter tells *The Reg*Research3 days -| 10](/2025/09/10/chillyhell_modular_macos_malware/?td=keepreading)

Related Tags:
CVE-2025-55177

CVE-2025-43300

Howling Scorpius

Topic: Zero Day

GOLD SAHARA

Akira

PUNK SPIDER

NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 517 – Telecommunications

Associated Indicators:
null

Threat Intel Solutions

Samsung fixes Android 0-day that may have been used to spy on WhatsApp messages

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us