A zero-day vulnerability in Samsung’s Android image processing library was exploited to deploy the ‘LandFall’ spyware via malicious WhatsApp images. The attack targeted Samsung Galaxy devices in the Middle East and involved sophisticated techniques for persistence, evasion, and device fingerprinting. #CVE-2025-21042 #LandFall #SamsungGalaxy
Keypoints
- The zero-day vulnerability CVE-2025-21042 affects Samsung’s libimagecodec.quram.so component and was patched in April 2024.
- Attackers used malformed DNG images within ZIP archives sent over WhatsApp to deliver spyware.
- The LandFall spyware can perform microphone and call recording, location tracking, and access personal data.
- The campaign primarily targeted Samsung Galaxy devices in Iraq, Iran, Turkey, and Morocco.
- Researchers linked the infrastructure to known threat groups but did not confirm direct attribution to any spyware vendors.