Analysis

Samsung Galaxy Android devices were targeted by a zero-day exploit (CVE-2025-21042, CVSS 8.8) in the "libimagecodec.quram.so" component, allowing remote code execution via the "LANDFALL" spyware. This flaw was actively exploited in the wild, primarily affecting flagship models like the S22, S23, S24, Z Fold 4, and Z Flip 4, before Samsung issued a patch in April 2025. The spyware, delivered through malicious WhatsApp DNG images, is a comprehensive tool capable of harvesting sensitive data from targets predominantly in the Middle East. This incident is part of a broader DNG exploitation wave, with similar campaigns also impacting Apple iOS devices (CVE-2025-55177 and CVE-2025-43300) via WhatsApp, highlighting systemic vulnerabilities across major mobile platforms. While the specific Samsung exploit is patched, related exploit chains were active until recently, indicating persistent and sophisticated threat actor activity. The modular design of LANDFALL suggests an adaptable framework capable of fetching additional surveillance components. Palo Alto Networks (PANW) Unit 42 identified and analyzed this threat, noting that LANDFALL's command-and-control infrastructure exhibits patterns consistent with known state-sponsored groups like Stealth Falcon. The overall market sentiment is moderately negative for device manufacturers due to these ongoing cybersecurity challenges. This underscores the continuous need for robust security measures and rapid patching cycles from leading technology companies.