Samsung has released a critical security update addressing a remote code execution vulnerability that was actively exploited in targeted attacks against its Android devices. This patch is part of a broader response to a sophisticated spyware campaign that also leveraged a chained zero-click exploit involving WhatsApp and Apple’s iOS1, 4, 10. The campaign, attributed to the Israeli surveillance vendor Paragon Solutions, used these vulnerabilities to deploy the Graphite spyware on the devices of civil society members, activists, and journalists across multiple countries2, 9.
The vulnerability, while not explicitly named in the initial Samsung disclosure, appears to be part of a multi-pronged attack strategy. While the chained Apple-WhatsApp zero-click exploit (CVE-2025-55177 and CVE-2025-43300) was specific to iOS, the threat actors also employed separate methods to compromise Android devices, including those from Samsung1, 4. This development coincides with Google’s September 2025 Android security update, which patched 120 flaws, including two other zero-day vulnerabilities (CVE-2025-38352 and CVE-2025-48543) under limited, targeted exploitation8.
Technical Analysis of the Attack Chain
The core of the campaign involved a sophisticated exploit chain. Attackers first leveraged CVE-2025-43300, a critical flaw (CVSS 8.8) in Apple’s Image I/O framework. This vulnerability was an out-of-bounds write issue that could lead to memory corruption when processing a maliciously crafted image1, 6. This core library is used by multiple applications on iOS and macOS, not exclusively WhatsApp. The second component, CVE-2025-55177, was a high-severity flaw (CVSS 8.0) in WhatsApp caused by an “incomplete authorization of linked device synchronization messages.” This allowed an attacker to trigger the processing of content from an arbitrary URL on a target’s device1, 3.
The attack chain worked by using the WhatsApp sync message bug to force a target’s device to fetch and process a malicious image from an attacker-controlled server. This image was specially crafted to exploit the Apple ImageIO vulnerability, leading to remote code execution and the deployment of the Graphite spyware—all without any user interaction1, 6, 9, 10. The Samsung vulnerability patched this month was likely used as an alternative infection vector for Android targets, demonstrating the operators’ flexibility in targeting multiple platforms.
Targeting and Impact Assessment
The campaign was highly targeted, focusing on a select group of individuals. WhatsApp notified over 90 individuals, with other estimates placing the figure at fewer than 200 people2, 6. Targets included civil society members, activists, and journalists in countries such as Italy, Canada, Australia, Cyprus, Denmark, Israel, and Singapore2. Amnesty International’s Security Lab confirmed the attacks impacted both iPhone and Android users, though the chained zero-click exploit was specific to Apple devices1, 4.
The investigation into these attacks provided evidence linking them to the operations of Paragon Solutions. Donncha Ó Cearbhaill, head of the security lab at Amnesty International, confirmed the campaign’s use of commercial spyware10. This incident is not isolated; it mirrors previous attacks, including another WhatsApp zero-day exploited by Paragon that was patched in March 2025. The historical context is further underscored by the 2019 WhatsApp hack by NSO Group, which resulted in a $167 million judgment against the spyware maker6, 9, 10.
Patches, Mitigation, and Broader Context
The response from vendors has been swift. WhatsApp addressed CVE-2025-55177 server-side for some users in late 2024, with client updates released for iOS and Mac in late July and early August 20251, 2, 3, 9. Apple patched CVE-2025-43300 in its iOS 18.6.2, iPadOS 18.6.2, and macOS updates on August 20, 20256, 10. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the WhatsApp flaw to its Known Exploited Vulnerabilities (KEV) catalog on September 2, 2025, mandating all federal agencies to apply patches by September 23, 20256.
For system administrators and security teams, the primary mitigation is to ensure all devices are updated to the latest patched versions. WhatsApp advised targeted users to perform a full factory reset of their phones to ensure any implanted malware was completely removed, in addition to updating their OS and apps1, 9. This incident is part of a worsening offensive landscape. A concurrent report highlighted a 2X increase in password cracking success rates, from 25% to 46% of environments, indicating that attackers are successfully leveraging both sophisticated zero-days and common attack vectors4.
Relevance and Remediation for Security Professionals
This campaign demonstrates a clear evolution in threat actor tradecraft, specifically the chaining of vulnerabilities across different software layers (application and operating system) to create potent, stealthy exploits. For defensive teams, this underscores the critical need for comprehensive patch management that encompasses all enterprise software, not just operating systems. The fact that a vulnerability in a ubiquitous messaging app could be used to trigger a separate OS-level flaw makes a strong case for application allow-listing and stricter network segmentation to limit lateral movement and data exfiltration.
Monitoring for indicators of compromise related to known commercial spyware like Graphite is essential. Security operations centers should review network traffic for anomalous connections to known malicious domains and scrutinize processes for signs of injection or persistence mechanisms common to these toolkits. The high value of such exploits is further evidenced by the $1 million bounty offered for a WhatsApp exploit at the Pwn2Own Ireland 2025 hacking competition, illustrating the immense resources dedicated to finding these flaws6.
The patching of multiple Android zero-days, including the one in Samsung’s software, within the same period highlights the persistent targeting of mobile platforms. Organizations with a mobile workforce must treat mobile device management (MDM) and mobile threat defense (MTD) solutions as critical components of their security architecture, not optional extras.
The discovery and exploitation of these vulnerabilities highlight the advanced capabilities of mercenary spyware vendors and the ongoing threat they pose to high-risk individuals. The swift action by CISA to mandate patching underscores the severity with which government agencies view this threat. For security professionals, this incident is a stark reminder that determined adversaries with significant resources continue to find and exploit subtle flaws across the entire technology stack. Vigilant patch management, robust network monitoring, and a defense-in-depth strategy remain the best defenses against these advanced threats.
