Researchers have warned that threat actors could exploit a flaw in multiple Samsung Galaxy device series to run malicious code remotely. The flaw was reportedly employed as a zero-day attack to install spyware and infostealers on some Middle Eastern users.
The flaw, identified as CVE-2025-21042 with a severity rating of 9.8/10 (critical) is categorised as an out-of-bounds write vulnerability affecting the shared library file libimagecodec.quram.so, which is part of the image processing framework on Samsung Android devices.
Security researchers from “Palo Alto Networks Unit 42” reported that the bug was exploited by an unknown actor to deploy the spyware known as LandFall.
“LANDFALL remained active and undetected for months. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms,” Unit 42 added.
The attack involves dropping a malformed .DNG raw image format, with a .ZIP archive appended at the end of the file. The attack vector appears to have been WhatsApp, where the file was shared. After deployment and execution, LandFall fingerprints the device it is on, and scans all installed applications.
It can perform microphone recording, call recording, location tracking, access to contacts, SMS messages, call logs, files, and photos, and browser history. It is also adept at being undetected and remaining persistent on infected devices.
According to the researchers, multiple Galaxy series of phones are affected: S22, S23, and S24, as well as Z Fold 4 and Z Flip 4. The researchers also found the Android security flaw in other Galaxy devices, and said that devices running Android versions 13 through 15 could have been affected too. The newest Samsung flagship devices, however, are apparently not affected.
To combat this, Samsung patched the security flaw exploited to deploy the spyware in April 2025. However, Landfall was first detected in July 2024, and the campaign was operational in the middle of the year.
The victims are apparently based in Iraq, Iran, Turkey, and Morocco, and the attacker is likely to be a group called Stealth Falcon in the United Arab Emirates (UAE). The researchers made this conclusion by examining LandFall’s C2 infrastructure. Palo Alto is advising Samsung users to keep their devices updated and to be cautious of any messages, especially with attachments.
“The spyware is delivered through malformed DNG image files exploiting CVE-2025-21042—a critical zero-day vulnerability in Samsung’s image processing library, which was exploited in the wild,” the researchers concluded.