A recently patched vulnerability in Samsung Galaxy Android devices was exploited as a zero-day, enabling the delivery of a sophisticated Android spyware known as LANDFALL during targeted attacks primarily focused in the Middle East.
The exploitation centered on a specific out-of-bounds write flaw in the libimagecodec.quram.so component, identified as CVE-2025-21042, which carries a CVSS score of 8.8. This vulnerability allowed remote attackers to execute arbitrary code. Reports indicate that Samsung issued a patch for this flaw in April 2025 after discussions of ongoing attacks in the wild.
Palo Alto Networks Unit 42 revealed that this vulnerability had been actively exploited even before the patch was available, targeting individuals in Iraq, Iran, Turkey, and Morocco. In a related context, Samsung disclosed another vulnerability in the same library, CVE-2025-21043, in September 2025, which was also found to be exploited in similar fashion.
Investigative efforts revealed that the attacks involved sending malicious images through WhatsApp, specifically in DNG (Digital Negative) format, with samples identified as early as July 23, 2024. This suggests that the spyware had been in circulation for quite some time.
Once installed on a device, LANDFALL functions as a comprehensive surveillance tool, capable of gathering sensitive information including microphone recordings, location data, photos, contacts, SMS messages, files, and call logs. The exploitation likely involved a zero-click method that exploited the identified flaw without requiring user interaction.
As WhatsApp addressed its own vulnerabilities, researchers noted that a combination of flaws, including one within Apple’s platforms, had been chained together in attacks targeting a small number of users. This spotlighted the complexity and sophistication of contemporary cyber threats.
Further analysis of the malicious DNG files indicated they contained embedded ZIP files designed to extract a shared object library necessary for running the spyware. The exploit was confirmed to manipulate device security settings to ensure that LANDFALL maintained elevated permissions and established persistent connections back to a command-and-control server.
Determining the exact origin of LANDFALL remains unclear; however, connections to the Stealth Falcon group have been suggested, although no definitive overlap has been established as of now.
Unit 42 emphasized that the presence of these sophisticated exploits in public repositories highlights the need for vigilance and thorough understanding of emerging cyber threats.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.