A threat actor exploited a zero-day vulnerability in Samsung’s Android image processing library to deploy a previously unknown spyware called 'LandFall' using malicious images sent over WhatsApp.
The security issue was patched this year in April, but researchers found evidence that the LandFall operation was active since at least July 2024, and targeted select Samsung Galaxy users in the Middle East.
Identified as CVE-2025-21042, the zero-day is an out-of-bounds write in libimagecodec.quram.so and has a critical severity rating. A remote attacker successfully exploiting it can execute arbitrary code on a target device.
According to researchers at Palo Alto Networks’ Unit 42, the LandFall spyware is likely a commercial surveillance framework used in targeted intrusions.
The attacks begin with the delivery of a malformed .DNG raw image format with a .ZIP archive appended towards the end of the file.
