diff --git a/src/binary-exploitation/common-exploiting-problems.md b/src/binary-exploitation/common-exploiting-problems.md
index 925dc3c534c..4fec3a26254 100644
--- a/src/binary-exploitation/common-exploiting-problems.md
+++ b/src/binary-exploitation/common-exploiting-problems.md
@@ -35,7 +35,49 @@ In order to bypass this the **escape character `\x16` must be prepended to any `
 
 **Here you can** [**find an example of this behaviour**](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)**.**
 
-{{#include ../banners/hacktricks-training.md}}
+## RAW Image Parser Exploitation (DNG/TIFF Metadata & Opcodes)
+
+An in-the-wild Android chain weaponized Samsung's **Quram** DNG/TIFF parser that runs inside the privileged **`com.samsung.ipservice`** service. The attacker only needed the victim to tap a WhatsApp image so it was saved into **`MediaStore`**, after which the Samsung system service automatically ingested the RAW file and executed the exploit.
+
+High-level flow:
+
+1. Craft a TIFF-based DNG payload but give it a harmless WhatsApp-style `.jpg/.jpeg` filename.
+2. Deliver it over any channel that stores media inside `MediaStore` (WhatsApp, MMS, cloud sync, etc.).
+3. Let OEM background services that scan `MediaStore` open the file with their privileged image stack.
+4. Use DNG metadata to steer the parser into fragile code paths and turn opcode processing into a memory-corruption primitive.
+5. Drop a ROP chain/shellcode into RAW buffers that will be dereferenced after the corruption.
+
+Quick triage of suspicious samples:
+
+```bash
+file "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg"
+exiftool -OpcodeList1 -OpcodeList2 -OpcodeList3 "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg"
+```
+
+### Metadata steering & SubIFDs
 
+- Abuse **multiple SubIFDs** (e.g., Preview + two "Main Image" entries sized 16×16 and 1×1) to force alloc/free patterns that rarely occur in normal RAWs.
+- Set contradictory geometry such as **`ActiveArea = 0 0 10 10`** for a declared 16×16 tile so that internal loops mis-compute iteration bounds and buffer sizes.
+- Mix **strip and tile storage** simultaneously (`TileByteCounts = 256` while `StripByteCounts = 1`) to hit parser logic that assumes only one storage mode is active.
+- Keep `SamplesPerPixel = 1` and CFA metadata inconsistent with the stated color layout to influence de-bayering paths that hold function/vtable pointers.
 
+These tricks let you force the decoder to allocate attacker-sized chunks derived only from metadata, which is perfect for heap grooming before the overflow triggers.
 
+### Opcode list based corruption primitives
+
+- DNG **Opcode Lists** are essentially a DSL that the parser executes before demosaicing. Stuffing **thousands of identical `[opcode 23]` entries** makes the library allocate very large descriptor arrays whose bounds often trust `ImageWidth × ImageHeight`.
+- Chaining **`TrimBounds` → `DeltaPerColumn`** operations while the image dimensions disagree with the `ActiveArea` induces off-by-one writes when coordinates are recomputed between opcodes.
+- Because opcodes execute sequentially, you can first use them to spray controlled data, then trigger the vulnerable opcode that overwrites a nearby pointer with offsets pointing back into your sprayed data.
+
+### Allocator-aware heap grooming
+
+- The campaign shipped **jemalloc and scudo variants**, highlighting that RAW metadata can be tuned to request allocations that match the target allocator's size classes/bins.
+- On **scudo**, the exploit keeps allocations inside a single size class to avoid immediate quarantine while still placing the vulnerable opcode buffer next to an object containing function pointers.
+- On **jemalloc**, the same concept targets small bin freelists and corrupts chunk metadata to pivot execution.
+- Always model the allocator you are targeting: list the sizes that each SubIFD, tile buffer, opcode array, and CFA table will request, and adjust metadata until the victim control structure and your spray buffer sit adjacently.
+
+## References
+
+- [Project Zero: A look at an Android ITW DNG exploit](https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-exploit.html)
+
+{{#include ../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md
index 423f8f6b0cc..0e1ab9ded2f 100644
--- a/src/mobile-pentesting/android-app-pentesting/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/README.md
@@ -54,6 +54,30 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
 java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
 ```
 
+## MediaStore & OEM Privileged Service Attack Surface
+
+Vendors ship privileged background services (for example Samsung's **`com.samsung.ipservice`**) that periodically enumerate Android's **`MediaStore`** and feed every newly indexed image into native stacks such as **Quram** to power "intelligent" gallery features. The 2025 in-the-wild DNG exploit showed that a single WhatsApp-delivered payload (user just taps to download) is enough to hand attacker-controlled RAW data to that service, yielding a 1-click remote attack surface with system-level access compared to the messaging app.
+
+### Testing workflow
+
+1. Identify OEM packages running out of `/system/priv-app` that request `READ_MEDIA_*`, `WRITE_MEDIA_STORAGE`, or vendor-specific media permissions (`adb shell pm list packages -U | grep samsung`).
+2. Confirm whether they register `ContentObserver`s on MediaStore URIs (e.g., `adb shell dumpsys activity services com.samsung.ipservice | grep -i mediastore`).
+3. Deliver a crafted file, force its insertion into MediaStore, and monitor how the privileged service opens it:
+
+```bash
+adb push poc.jpg /sdcard/WhatsApp/Media/WhatsApp\ Images/poc.jpg
+adb shell content insert --uri content://media/external/file --bind _data:s:/sdcard/WhatsApp/Media/WhatsApp\ Images/poc.jpg --bind mime_type:s:image/jpeg
+adb shell logcat -s ipservice:I MediaProvider:I
+```
+
+4. Inspect content-type mismatches (JPEG extension vs. `image/x-adobe-dng`), multiple SubIFDs, and simultaneous strip/tile declarations to confirm you can steer the parser state before fuzzing it.
+
+For parser exploitation primitives that abuse those metadata inconsistencies, check the RAW image exploitation notes:
+
+{{#ref}}
+../../binary-exploitation/common-exploiting-problems.md
+{{#endref}}
+
 ## Android Enterprise & Work Profile Attacks
 
 {{#ref}}
@@ -880,5 +904,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
 - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
 - [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
+- [Project Zero: A look at an Android ITW DNG exploit](https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-exploit.html)
 
 {{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file