🚨 CRITICALmalwareNov 8, 2025

CVE-2025-21042 Samsung - LANDFALL Spyware Zero-Click Attacks

Category:Threat Alerts / Malware & Ransomware

CVE-2025-21042 Samsung zero-click exploitation drives the LANDFALL Android spyware campaign against Galaxy devices in the Middle East, turning a single malicious image into full-device compromise. In this operation, attackers weaponize CVE-2025-21042 Samsung Galaxy image parsing in the libimagecodec.quram.so component to achieve remote code execution via specially crafted DNG files delivered over WhatsApp. From at least July 2024 until Samsung’s April 2025 patch, LANDFALL operators quietly abused the bug to deploy commercial-grade spyware that records microphone audio, exfiltrates photos and files, tracks GPS location, and steals SMS, contacts, and call logs. The same reporting links the activity to a broader wave of DNG-based exploits including CVE-2025-21043 in Samsung devices and CVE-2025-43300 plus CVE-2025-55177 in Apple and WhatsApp, underscoring that advanced actors now prefer image-processing chains for mobile surveillance delivery. While there is still no confirmed attribution, LANDFALL’s infrastructure overlaps with Stealth Falcon tooling, suggesting a highly resourced espionage operator rather than a financially motivated crew. For enterprises with bring-your-own-device policies, unmanaged Samsung phones become an ideal foothold into corporate mail, messaging, and document stores. Security teams should treat CVE-2025-21042 Samsung exploitation as evidence of deep device compromise requiring full device replacement, credential rotation, and mobile EDR review, not just a simple patching exercise.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: CVE-2025-21042 Samsung exploitation with LANDFALL Android spyware shows how a single zero-click chain can convert personal Galaxy devices into persistent surveillance platforms. Organizations that rely heavily on mobile messaging and out-of-band apps for approvals, executive communication, and field operations must assume that compromised devices expose not only personal data but also internal chats, files, and authentication flows tied to SSO and MFA. Technical Context: LANDFALL abuses CVE-2025-21042 Samsung image decoding to trigger remote code execution inside the libimagecodec.quram.so library without user interaction, using DNG images sent over WhatsApp as the initial vector. Follow-on stages deploy shared object payloads to modify SELinux policies, maintain persistence, and beacon over HTTPS to bespoke C2 domains with infrastructure patterns similar to Stealth Falcon campaigns. The same reporting references related exploitation of CVE-2025-21043, CVE-2025-43300, and CVE-2025-55177, underscoring that mobile image-processing stacks are now high-value targets for spyware vendors and state-linked operators.

⚡Strategic Intelligence Guidance

Prioritize rapid deployment of Samsung’s April and September 2025 security updates addressing CVE-2025-21042 and CVE-2025-21043 across all managed and BYOD Galaxy fleets.
Deploy mobile threat defense or EDR agents capable of detecting privilege escalation, SELinux policy tampering, and anomalous HTTPS beaconing from Android devices.
Segregate high-risk consumer messaging apps such as WhatsApp from sensitive corporate workflows, and require hardware-backed device posture checks before granting access to crown-jewel applications.
Establish an incident playbook for suspected mobile spyware infections that includes device replacement, credential rotation, revocation of OAuth tokens, and review of MFA enrollments.

CVEs

CVE-2025-21042CVE-2025-21043CVE-2025-55177CVE-2025-43300

Vendors

SamsungPalo Alto Networks Unit 42WhatsAppAppleMeta

Threats

LANDFALL spywareZero-click mobile exploitStealth Falcon

Targets

Samsung Galaxy devicesMiddle East targetsWhatsApp users