CVE-2025-21042: Samsung Zero-Day Exploited to Deploy LANDFALL Spyware

A serious security flaw in Samsung Galaxy smartphones was exploited as a zero-day vulnerability to secretly install a powerful Android spyware family known as LANDFALL. According to new research from Palo Alto Networks Unit 42, the attacks mainly targeted users in the Middle East before Samsung released a patch.

The exploited bug, tracked as CVE-2025-21042 with a CVSS score of 8.8, was found in Samsung’s image processing component libimagecodec.quram.so. This flaw allowed remote attackers to perform an out-of-bounds write, enabling them to run arbitrary code on the device. Samsung fixed the issue in April 2025, but evidence shows that attackers had already been actively exploiting it in the wild.

Unit 42 reports that the activity cluster, tracked as CL-UNK-1054, appeared to target likely victims in Iraq, Iran, Turkey, and Morocco, based on VirusTotal submissions linked to malicious files involved in the campaign.

This discovery follows Samsung’s earlier disclosure in September 2025 that another vulnerability in the same library CVE-2025-21043, also rated 8.8—had been exploited as a zero-day. However, researchers confirmed that this second flaw was not used in the LANDFALL attacks.

Investigators believe attackers delivered the exploit using malicious DNG image files sent over WhatsApp. These DNG files appeared as normal images with names like:

• WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg

• IMG-20240723-WA0000.jpg

The oldest known LANDFALL sample dates back to July 23, 2024, showing the long-running nature of the operation.

Researchers noted no major changes between early versions of the spyware from 2024 and samples uploaded in February 2025, suggesting a steady and consistent malware development cycle.

While Unit 42 believes the exploit chain may have been capable of zero-click execution, they found no evidence that such an approach was used. There is also no indication that WhatsApp itself had any unknown vulnerability exploited during this campaign.

Once installed, LANDFALL becomes a full-scale surveillance tool on the victim’s device. It can collect:

• Microphone recordings

• Device location (GPS)

• Photos and media files

• Contacts

• SMS messages

• Call logs

• Files stored on the device

The spyware specifically targets Samsung’s flagship series, including:

• Galaxy S22

• Galaxy S23

• Galaxy S24

• Z Fold 4

• Z Flip 4

Notably, the latest generation of Samsung devices is not currently affected.

Unit 42 discovered that the malicious DNG files contained an embedded ZIP archive hidden at the end of the file. The exploit was triggered when the Samsung image processor parsed the file.

Inside the ZIP archive were:

1. A shared object (.so) loader used to deploy the LANDFALL spyware

2. A policy-manipulation module designed to modify the device’s SELinux configuration

   • This allowed LANDFALL to gain elevated privileges and establish long-term persistence.

After installation, the loader contacted a command-and-control (C2) server over HTTPS and entered a beaconing loop, waiting for further commands or additional malware modules.

Unit 42 stated that they could not recover the next-stage payloads, but confirmed LANDFALL’s architecture is modular, meaning the operators could download more spyware components as needed—including tools for deeper surveillance or stronger persistence.