Kira Chen
Kira (Xingyu) Chen is a senior security researcher at DARKNAVY. He has successfully compromised different targets across various fields. He achieved RCE on Samsung baseband and Google Chrome, as well as performed VM escapes in popular virtualization software such as QEMU, VirtualBox, and VMware Workstation. In addition, he actively participates in CTF competitions as a core member of the champion team AAA & A0E in DEFCON CTFs. He has spoken at several international security conferences like Black Hat USA, OffensiveCon, Zer0Con, and GeekCon Shanghai & Singapore.
Session
The spyware attack targeting WhatsApp, disclosed in August as an in-the-wild exploit, garnered significant attention. By simply knowing a victim's phone number, an attacker could launch a remote, zero-interaction attack against the WhatsApp application on Apple devices, including iPhones, iPads, and Macs. Subsequent reports indicated that WhatsApp on Samsung devices was also targeted by similar exploits.
In this presentation, we will share our in-depth analysis of this attack, deconstructing the 0-click exploit chain built upon two core vulnerabilities: CVE-2025-55177 and CVE-2025-43300. We will demonstrate how attackers chained these vulnerabilities to remotely compromise WhatsApp and the underlying iOS system without any user interaction or awareness. Following our analysis, we successfully reproduced the exploit chain and constructed an effective PoC capable of simultaneously crashing the target application on iPhones, iPads, and Macs. Finally, we will present our analysis of related vulnerabilities affecting Samsung devices (such as CVE-2025-21043) and share how this investigation led us to discover additional, previously unknown 0-day vulnerabilities.