What if you found a simple integer overflow bug in an obscure image decoding algorithm, and used it to ... build an entire scriptable computer architecture that executes as part of the image decoder itself?
That way, your target doesn't have to do anything but receive and render your trojan image - which it will do automatically in a messaging app like iMessage - and just like that, your code is running on their computer!
The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.
It's downright diabolical.