Security researchers at Palo Alto Networks uncovered **LANDFALL**, a sophisticated Android spyware campaign exploiting a **zero-day vulnerability (CVE-2025-21042, CVSS 8.8)** in Samsung Galaxy devices (S22, S23, S24, Z Fold 4, Z Flip 4). The attack leveraged malformed DNG image files (disguised as WhatsApp transfers) to deploy modular spyware capable of **recording audio/calls, tracking location, harvesting SMS/contacts/files, and maintaining persistence via SELinux manipulation**. Targets included high-value individuals in **Middle East/North Africa (Iraq, Iran, Turkey, Morocco)**, suggesting state-sponsored or commercial espionage motives. While the flaw was patched in **April 2025**, the campaign operated since **July 2024**, exposing users to prolonged surveillance risks. The attack’s **zero-click potential** (unconfirmed) and modular design (loader + privilege escalation + C2) align with advanced threat actors like **Stealth Falcon**, historically linked to regional espionage. The incident underscores rising risks in mobile ecosystems, where image-processing libraries (e.g., `libimagecodec.quram.so`) are increasingly exploited for targeted intrusions.
Source: https://www.linkedin.com/pulse/hackers-breach-samsung-galaxy-phones-using-single-xvrke
Samsung Mobile cybersecurity rating report: https://www.rankiteo.com/company/samsungmobile
"id": "sam5892158110825",
"linkid": "samsungmobile",
"type": "Vulnerability",
"date": "7/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Users of Samsung Galaxy S22, '
'S23, S24, Z Fold 4, Z Flip 4 in '
'targeted regions',
'industry': 'Consumer Electronics/Technology',
'location': 'Global (targeted regions: Middle East and '
'North Africa - Iraq, Iran, Turkey, '
'Morocco)',
'name': 'Samsung Electronics',
'size': 'Large (Multinational)',
'type': 'Corporation'},
{'location': ['Iraq', 'Iran', 'Turkey', 'Morocco'],
'name': 'Individual Users',
'type': 'Consumers'}],
'attack_vector': ['Malformed DNG Image Files',
'Messaging Apps (e.g., WhatsApp)',
'Potential Zero-Click Exploit'],
'customer_advisories': ['Update devices to the latest Samsung firmware',
'Avoid opening suspicious image files from unknown '
'sources',
'Report unusual device behaviors (e.g., unexpected '
'recordings, location tracking)'],
'data_breach': {'data_exfiltration': 'Yes',
'file_types_exposed': ['DNG Images (malformed, with embedded '
'ZIP payloads)',
'Photos',
'SMS',
'Contacts',
'Call Logs'],
'personally_identifiable_information': 'Yes (contacts, call '
'logs, location data)',
'sensitivity_of_data': 'High (includes PII and surveillance '
'data)',
'type_of_data_compromised': ['Audio Recordings',
'Location Data',
'Photos',
'SMS',
'Files',
'Contacts',
'Call Logs']},
'date_detected': '2025-04-01',
'date_publicly_disclosed': '2025-04-01',
'date_resolved': '2025-04-01',
'description': 'Security researchers at Palo Alto Networks Unit 42 uncovered '
'a sophisticated espionage campaign leveraging a zero-day '
'vulnerability (CVE-2025-21042, CVSS 8.8) in Samsung Galaxy '
'Android devices. The flaw, an out-of-bounds write defect in '
'the libimagecodec.quram.so image-processing library, allowed '
'remote code execution via malformed DNG image files. The '
'campaign deployed a previously undocumented spyware family '
'called LANDFALL, targeting flagship Samsung models (Galaxy '
'S22, S23, S24, Z Fold 4, Z Flip 4) in the Middle East and '
'North Africa (Iraq, Iran, Turkey, Morocco). The malware '
'enabled surveillance capabilities such as audio recording, '
'location tracking, and data exfiltration (photos, SMS, '
'contacts, call logs). The initial attack vector remains '
'unconfirmed but may involve zero-click exploitation via '
'messaging apps like WhatsApp. The vulnerability was patched '
'by Samsung in April 2025, though the campaign traces back to '
'July 2024.',
'impact': {'brand_reputation_impact': 'Moderate (high-profile zero-day '
'exploit in flagship devices)',
'data_compromised': ['Microphone Audio/Call Recordings',
'Device Location',
'Photos',
'SMS',
'Files',
'Contacts',
'Call Logs'],
'identity_theft_risk': 'High (PII exfiltration)',
'operational_impact': 'High (surveillance capabilities, '
'persistence via SELinux policy '
'manipulation)',
'systems_affected': ['Samsung Galaxy S22',
'Samsung Galaxy S23',
'Samsung Galaxy S24',
'Samsung Galaxy Z Fold 4',
'Samsung Galaxy Z Flip 4']},
'initial_access_broker': {'backdoors_established': 'Yes (via modified SELinux '
'policy for persistence)',
'entry_point': ['Malformed DNG image files (e.g., '
'WhatsApp transfers)',
'Potential zero-click exploit via '
'messaging apps'],
'high_value_targets': ['Samsung Galaxy flagship '
'devices (S22, S23, S24, Z '
'Fold 4, Z Flip 4)',
'Users in Middle East/North '
'Africa (Iraq, Iran, Turkey, '
'Morocco)']},
'investigation_status': 'Ongoing (attribution to Stealth Falcon/FruityArmor '
'is tentative; initial vector unconfirmed)',
'lessons_learned': ['Image-processing libraries (e.g., DNG/TIFF) are emerging '
'as critical attack surfaces in mobile devices.',
"Messaging apps and 'image' files can serve as stealthy "
'initial vectors for advanced malware.',
'Modular spyware architectures (loader + privilege '
'escalation + C2) resemble commercial spyware, suggesting '
'targeted espionage motives.',
'Mobile devices, especially flagship models, must be '
'treated as high-value targets for espionage, not just '
'commodity malware.',
'Long exposure windows (e.g., vulnerability exploited '
'since July 2024, patched in April 2025) highlight the '
'need for proactive monitoring and rapid patching.'],
'motivation': 'Targeted Espionage (likely state-sponsored or commercial '
'spyware)',
'post_incident_analysis': {'corrective_actions': ['Samsung issued patches for '
'CVE-2025-21042 (April '
'2025).',
'Public disclosure by Unit '
'42 to raise awareness and '
'prompt mitigations.',
'Recommendations for '
'organizations to treat '
'mobile devices as '
'high-value espionage '
'targets.',
'Encouragement for users to '
'update devices and '
'scrutinize messaging app '
'attachments.'],
'root_causes': ['Zero-day vulnerability '
'(CVE-2025-21042) in Samsung’s '
'image-processing library '
'(libimagecodec.quram.so).',
'Lack of user awareness about '
'risks associated with image files '
'via messaging apps.',
'Delayed patching (vulnerability '
'exploited since July 2024, '
'patched in April 2025).',
'Sophisticated modular spyware '
'design (LANDFALL) enabling '
'privilege escalation and '
'persistence.']},
'ransomware': {'data_exfiltration': 'Yes (but not ransomware-related)'},
'recommendations': ['Ensure all Samsung devices are updated to the latest '
'firmware (post-April 2025 patch).',
'Treat mobile devices as potential espionage targets, '
'especially in high-risk regions or sectors.',
'Monitor for anomalous behaviors: unexpected network '
'connections (C2 indicators), suspicious image files via '
'chat apps, unauthorized microphone/camera usage.',
'Review and enforce messaging-app usage policies, '
'including scrutiny of attachments (even from trusted '
'sources).',
'Implement endpoint detection and response (EDR) '
'solutions capable of detecting mobile spyware behaviors.',
'Educate users on the risks of malformed image files and '
'social engineering via messaging platforms.'],
'references': [{'source': 'Palo Alto Networks Unit 42 Research Report'},
{'source': 'Samsung Security Advisory (CVE-2025-21042)'},
{'source': 'Meta Platforms/WhatsApp Disclosure '
'(CVE-2025-55177)'}],
'response': {'communication_strategy': ['Public disclosure by Palo Alto '
'Networks Unit 42',
'Security advisories'],
'containment_measures': ['Patch released by Samsung (April '
'2025)'],
'enhanced_monitoring': 'Recommended (for anomalous network '
'connections, microphone usage, etc.)',
'incident_response_plan_activated': 'Yes (by Samsung and Palo '
'Alto Networks Unit 42)',
'remediation_measures': ['Device updates',
'Monitoring for anomalous behaviors '
'(e.g., C2 connections, suspicious '
'image files)'],
'third_party_assistance': ['Palo Alto Networks Unit 42']},
'stakeholder_advisories': ['Apply patches immediately',
'Monitor for indicators of compromise (IoCs)',
'Review mobile security policies'],
'threat_actor': {'confidence': 'Moderate (based on domain registration and C2 '
'patterns, but no definitive attribution)',
'name': 'Stealth Falcon (aka FruityArmor)'},
'title': 'LANDFALL Android Spyware Campaign Exploiting Samsung Zero-Day '
'(CVE-2025-21042)',
'type': ['Espionage', 'Zero-Day Exploit', 'Spyware', 'Mobile Malware'],
'vulnerability_exploited': ['CVE-2025-21042 (CVSS 8.8) - Out-of-Bounds Write '
'in libimagecodec.quram.so']}