- CVE-2025-21042 bug enabled remote code execution on multiple Samsung Galaxy devices
- Attackers used WhatsApp to deliver LandFall spyware via malformed image files
- Victims targeted in the Middle East; Stealth Falcon group suspected of being behind the campaign
Several Samsung Galaxy device series were vulnerable to a flaw that allowed threat actors to execute malicious code remotely, experts have warned.
To make matters worse, researchers say the flaw was used as a zero-day to target specific individuals in the Middle East with spyware and info stealers.
The bug, tracked as CVE-2025-21042 with a severity rating of 9.8/10 (Critical), is described as an out-of-bounds write vulnerability found in libimagecodec.quram.so before SMR Apr-2025 Release 1. Libimagecodec.quram.so is a shared framework file for Samsung’s imaging library in the Android device.
Steal files and record audio
According to security researchers from Palo Alto Networks Unit 42, the flaw was used by a malicious entity to deploy the ‘LandFall’ spyware.
The attack involves dropping a malformed .DNG raw image format with a .ZIP archive attached at the end of the file. The attack vector appears to have been WhatsApp through which the file was shared.
After being deployed and executed, LandFall fingerprints the device it is on and analyzes all the installed applications.
Its main features include microphone recording, call recording, location tracking, access to contacts, SMS messages, call logs, files and images, and access to browsing history. It is also quite capable of avoiding detection and maintaining persistence on compromised devices.
Several Galaxy series of phones are said to be vulnerable: the S22, S23 and S24, as well as the Z Fold 4 and Z Flip 4. The latest Samsung flagship devices are apparently safe.
The victims appear to be located in Iraq, Iran, Turkey and Morocco, while the attackers are most likely a group called Stealth Falcon located in the United Arab Emirates (UAE). The researchers came to this conclusion by looking at LandFall’s C2 infrastructure. Palo Alto encourages Samsung users to keep their devices updated and pay attention to incoming messages, especially those with attachments of any kind.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
