- CVE-2025-21042 flaw enabled remote code execution on multiple Samsung Galaxy devices
- Attackers used WhatsApp to deliver LandFall spyware via malformed image files
- Victims targeted in the Middle East; Stealth Falcon group suspected behind the campaign
Multiple Samsung Galaxy device series were vulnerable to a flaw that allowed threat actors to execute malicious code remotely, experts have warned.
To make matters worse, researchers are saying the flaw was used as a zero-day to target certain individuals in the Middle East with spyware and infostealers.
The bug, tracked as CVE-2025-21042 with a severity rating of 9.8/10 (critical) is described as an out-of-bounds write vulnerability, found in libimagecodec.quram.so prior to SMR Apr-2025 Release 1. Libimagecodec.quram.so is a shared library file that’s part of the image processing framework on Samsung Android devices.
Stealing files and recording audio
According to security researchers from Palo Alto Network’s Unit 42, the bug was used by a malicious entity to deploy the ‘LandFall’ spyware.
The attack includes dropping a malformed .DNG raw image format, with a .ZIP archive attached at the end of the file. The attack vector seems to have been WhatsApp, through which the file was shared.
After being deployed and executed, LandFall fingerprints the device it’s on, and analyzes all of the installed applications.
Its main capabilities include recording via microphone, call recording, location tracking, accessing contacts, SMS messages, call logs, files, and photos, and accessing browser history. It is also quite capable of avoiding being spotted and maintaining persistence on compromised devices.
Multiple Galaxy series of phones are said to be vulnerable: S22, S23, and S24, as well as Z Fold 4 and Z Flip 4. The newest Samsung flagship devices are apparently safe.
The victims seem to be located in Iraq, Iran, Turkey, and Morocco, while the attackers are most likely a group called Stealth Falcon, located in the United Arab Emirates (UAE). The researchers came to this conclusion by looking at LandFall’s C2 infrastructure. Palo Alto urges Samsung users to keep their devices updated and to be mindful of incoming messages, especially those with attachments of any kind.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
