- CVE-2025-21042 allows remote code execution on multiple Samsung Galaxy devices
- Attackers used WhatsApp to distribute LandFall spyware via malformed image files.
- Victims targeted in the Middle East; The Stealth Falcon group suspected of being behind the campaign
Several series of Samsung Galaxy devices were vulnerable to a flaw that allowed malicious actors to execute malicious code remotely, experts warned.
To make matters worse, researchers say the breach was used as a zero-day to target certain people in the Middle East with spyware and information stealers.
The bug, tracked as CVE-2025-21042 with a severity rating of 9.8/10 (Critical), is described as an out-of-bounds write vulnerability, found in libimagecodec.quram.so before SMR April 2025 version 1. Libimagecodec.quram.so is a shared library file that is part of the image processing framework on Samsung Android devices.
Steal files and record audio
According to security researchers at Palo Alto Network’s Unit 42, the bug was used by a malicious entity to deploy the “LandFall” spyware.
The attack involves deleting a malformed raw .DNG image format, with a .ZIP archive attached to the end of the file. The attack vector appears to have been WhatsApp, through which the file was shared.
After being deployed and running, LandFall fingerprints the device it is on and scans all installed applications.
Its main capabilities include recording via microphone, call recording, location tracking, access to contacts, SMS messages, call logs, files and photos, as well as access to browser history. It is also fully capable of avoiding detection and maintaining persistence on compromised devices.
Several Galaxy phone series are said to be vulnerable: S22, S23 and S24, as well as Z Fold 4 and Z Flip 4. Samsung’s latest flagship devices are apparently safe.
The victims appear to be in Iraq, Iran, Turkey and Morocco, while the attackers are most likely a group called Stealth Falcon, based in the United Arab Emirates (UAE). The researchers came to this conclusion by examining LandFall’s C2 infrastructure. Palo Alto urges Samsung users to keep their devices updated and pay attention to incoming messages, especially those with attachments of any kind.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
