Urgent Samsung Patch Stops Spyware Exploit

A critical security update from Samsung addresses a dangerous vulnerability actively exploited to install sophisticated spyware on mobile devices. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that all US federal civilian agencies apply this patch by early December, classifying the flaw as a frequent and high-risk attack vector. This urgency stems from evidence that the vulnerability was leveraged to deploy commercial-grade Android surveillance software, potentially on behalf of government entities.

The specific vulnerability, identified as CVE-2025-21042, is an out-of-bounds write issue located within the `libimagecodec.quram.so` library. This component is responsible for handling image processing on Samsung devices. The flaw could permit a remote attacker to execute any code they choose on a compromised smartphone. Although Samsung released a corrective patch in April 2025, attackers had already been using the vulnerability in the preceding months to distribute a spyware known as LANDFALL.

According to researchers at Palo Alto Networks, the infection method likely involved a zero-click approach using specially crafted image files. This technique means a user doesn’t need to click anything for their device to become infected; simply receiving the image could be enough. This strategy mirrors other recent exploit chains observed on both iOS and Samsung Galaxy platforms. The method bears a strong resemblance to an exploit involving a WhatsApp zero-day vulnerability that garnered attention in August 2025, as well as another chain utilizing a similar Samsung zero-day patched in September 2025.

The investigation into LANDFALL uncovered several previously undetected malicious DNG image files uploaded to VirusTotal throughout 2024 and early 2025. The filenames of these images suggest they were distributed through the WhatsApp messaging platform. These corrupted DNG files contained an embedded ZIP archive appended to the end of the image. The exploit works by extracting shared object library files from this hidden archive to load and run the LANDFALL spyware.

Further analysis confirmed that this modular spyware is tailor-made for Samsung Galaxy devices. Its extensive capabilities include comprehensive device fingerprinting, gathering details about the handset, installed apps, and VPN status, and significant data exfiltration. The malware can activate the device’s microphone to record ambient sounds, log phone calls, harvest contact lists, and steal SMS messages, chat histories, and photos. It also incorporates persistence mechanisms, allowing it to remain on the device and perform actions to conceal its presence from both the user and mobile security applications. Researchers noted the loader shows clear signs of being a commercial-grade product, though the full next-stage components were not directly analyzed.

Based on submission data from VirusTotal, potential targets of this espionage campaign appear to be located in Iran, Turkey, and Morocco. Supporting this, Turkey’s national CERT reported that IP addresses used by LANDFALL’s command-and-control (C2) servers were flagged as malicious and linked to mobile-focused advanced persistent threat (APT) activity. While LANDFALL’s C2 infrastructure and domain registration patterns share some similarities with those used by the Stealth Falcon threat group, known for targeting journalists and activists in the United Arab Emirates, insufficient overlapping evidence has prevented researchers from definitively linking the activity to a known private-sector offensive actor or other specific threat group.

(Source: HelpNet Security)