CISA Urges Immediate Patch for Samsung Spyware Zero-Day
▼ Summary
– CISA ordered federal agencies to patch a critical Samsung vulnerability (CVE-2025-21042) exploited in zero-day attacks to deploy LandFall spyware via WhatsApp.
– The vulnerability is an out-of-bounds write flaw in Samsung’s libimagecodec.quram.so library, allowing remote code execution on Android 13+ devices.
– LandFall spyware can access browsing history, record calls and audio, track location, and access photos, contacts, SMS, call logs, and files on targeted Samsung flagship models.
– Exploitation has targeted users in Iraq, Iran, Turkey, and Morocco, with infrastructure similarities to Stealth Falcon operations and naming conventions linked to known commercial spyware vendors.
– Federal agencies must secure devices by December 1, and CISA urges all organizations to patch the flaw promptly due to its significant risk as a frequent attack vector.
A critical security vulnerability affecting Samsung smartphones has prompted an urgent directive from the Cybersecurity and Infrastructure Security Agency (CISA), compelling federal agencies to apply patches immediately. This flaw, identified as CVE-2025-21042, enables attackers to install LandFall spyware through manipulated DNG image files transmitted via WhatsApp. The weakness resides within Samsung’s libimagecodec.quram.so library and impacts devices running Android 13 and newer versions.
Although Samsung addressed the issue in April after receiving reports from Meta and WhatsApp security teams, researchers at Palo Alto Networks’ Unit 42 uncovered that exploitation has been underway since at least July 2024. Attackers leveraged the vulnerability to deploy previously unidentified LandFall spyware, which can extract browsing histories, record calls and ambient audio, track physical locations, and access personal data including photos, contacts, SMS messages, call logs, and stored files.
The spyware has primarily targeted high-end Samsung models such as the Galaxy S22, S23, and S24 series, along with the Z Fold 4 and Z Flip 4. Analysis of VirusTotal samples suggests individuals in Iraq, Iran, Turkey, and Morocco may have been affected. Infrastructure used in the attacks, including command and control domains, shows characteristics previously associated with Stealth Falcon, a threat group believed to operate from the United Arab Emirates.
Another notable element is the malware loader’s internal name, “Bridge Head”, a label frequently used by commercial spyware developers like NSO Group, Variston, Cytrox, and Quadream. Despite these clues, investigators have not definitively connected LandFall to any specific threat actor or vendor.
CISA has now included CVE-2025-21042 in its Known Exploited Vulnerabilities catalog, signaling active abuse in the wild. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch agencies, such as the Department of Energy, Treasury, Homeland Security, and Health and Human Services, must secure vulnerable Samsung devices within three weeks, with a deadline of December 1.
While the mandate applies specifically to federal bodies, CISA strongly encourages all organizations using affected Samsung devices to install available patches without delay. The agency emphasized that such vulnerabilities represent common and high-risk attack vectors. Recommended actions include applying vendor-provided mitigations, adhering to BOD 22-01 guidance for cloud services, or discontinuing product use if fixes are not available.
This incident follows another libimagecodec.quram.so vulnerability (CVE-2025-21043) patched by Samsung in September, which was also exploited in zero-day attacks against Android devices.
(Source: Bleeping Computer)
