Samsung Mobile Devices encountered a critical security vulnerability tracked as CVE-2025-21042. This out-of-bounds write flaw exists in the libimagecodec.quram.so library, part of the image processing framework on Samsung Android devices. The vulnerability received a CVSS severity score of 9.8 out of 10, classifying it as critical. Affected firmware versions include those prior to the SMR Apr-2025 Release 1 update. The National Vulnerability Database listed the vulnerability on November 10, 2025.
Threat actors exploited CVE-2025-21042 as a zero-day to deliver LandFall spyware. Researchers from Palo Alto Networks Unit 42 identified LandFall as a commercial-grade Android spyware family targeting Samsung Galaxy devices. Attackers embedded the spyware in malformed DNG raw image files with appended ZIP archives containing shared object libraries. These files triggered remote code execution upon processing by the vulnerable library. The campaign operated from at least July 2024 through early 2025, before Samsung applied the patch.
WhatsApp served as the primary delivery vector for the malicious DNG images. Recipients in targeted regions received the files without requiring user interaction beyond standard message preview. The exploit chain enabled zero-click installation of LandFall on compatible devices. Palo Alto Networks analysis confirmed samples with filenames such as IMG-20240723-WA0000.jpg, indicating WhatsApp origin. No vulnerabilities in WhatsApp itself facilitated the attacks.
LandFall spyware provides extensive surveillance capabilities on infected Samsung Galaxy devices. The malware performs device fingerprinting and enumerates installed applications. It accesses microphone for audio recording, tracks GPS location, retrieves contacts, SMS messages, call logs, files, photos, and browser history. LandFall also supports call recording and maintains persistence while evading detection. Command-and-control servers across Europe received exfiltrated data from six known domains.
Multiple Samsung Galaxy models running Android 13, 14, or 15 fell within the scope of CVE-2025-21042 exploitation. Vulnerable series include Galaxy S22, S23, S24, Z Fold4, and Z Flip4. Newer flagship models post-April 2025 updates remained unaffected. The campaign focused on individuals in Iraq, Iran, Turkey, and Morocco. VirusTotal submission patterns and C2 infrastructure analysis supported this geographic targeting.
Infrastructure similarities exist between LandFall operations and Stealth Falcon, a surveillance vendor linked to the United Arab Emirates. Stealth Falcon conducted prior spyware campaigns against journalists and activists since 2012. Domain registration patterns and C2 server usage showed overlaps, though researchers stopped short of direct attribution. The operation aligns with commercial spyware vendor tactics, including modular payloads and rapid infrastructure rotation.
Samsung released a patch for CVE-2025-21042 in the April 2025 SMR update. The fix corrects the improper implementation in libimagecodec.quram.so. Device owners receive the update through standard over-the-air channels. The Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on November 10, 2025, with a remediation deadline of December 1, 2025, for federal agencies.
Users of affected Samsung Galaxy devices should install available security updates immediately. Settings access the latest software via the Software Update menu. Exercise caution with unsolicited WhatsApp messages containing image attachments, particularly from unknown sources. Enable auto-updates for timely protection against similar image processing vulnerabilities. Enterprises benefit from mobile device management tools to enforce patching across fleets.
