Between July 2024 and February 2025, six suspicious image files were uploaded to VirusTotal, leading to an investigation by Google's Threat Intelligence Group after a tip from Meta. These files were identified as DNG images specifically targeting the Quram library, which is used for image processing on Samsung devices. A blog post by Unit 42 on November 7, 2025, detailed the exploits associated with these images, which deployed spyware. The Samsung vulnerability being exploited was patched in April 2025. The images were primarily transmitted via WhatsApp, with filenames indicating their source. Notably, the first two images targeted distinct allocators used in different Android versions, with the focus on the scudo allocator for the more recent devices. The exploit operates within the com.samsung.ipservice process, a Samsung system service that handles image parsing from the MediaStore. Although WhatsApp does not automatically download images from untrusted contacts, the exploit can be triggered with a single click, effectively creating a "1-click" attack scenario. The images, despite having a JPEG extension, are actually Digital Negative (DNG) files, which have specific characteristics that raised suspicions, particularly their unusually small dimensions and the presence of multiple main image types. DNG files can include opcode lists that dictate processing steps during decoding, crucial for exploit execution. The article highlights three opcodes of interest—TrimBounds, MapTable, and DeltaPerColumn—that manipulate image areas. The presence of opcode ID 23, which cannot be mapped to known opcodes, further suggests malicious intent. Typical benign DNG files contain only a few opcodes, making the extensive use of these suspicious ones a key indicator of the exploit's complexity and potential impact.