Overview
- Palo Alto Networks’ Unit 42 disclosed LANDFALL, a commercial‑grade spyware delivered via malformed DNG images in a zero‑click attack on Samsung Galaxy phones.
- The exploited bug, CVE-2025-21042, is an out‑of‑bounds write in Samsung’s libimagecodec.quram.so that enabled remote code execution on Android 13–15 devices.
- Samsung fixed the vulnerability in its April 2025 security update, and researchers report activity dating back to at least July 2024 targeting users in Turkey, Iran, Iraq and Morocco.
- CISA added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog and set a December 1 deadline for Federal Civilian Executive Branch agencies to patch, urging all organizations to prioritize updates.
- Targets included Galaxy S22, S23 and S24 models and some Z Fold/Flip devices, WhatsApp served as the delivery channel rather than the vulnerability, and attribution remains unconfirmed despite infrastructure overlaps with Stealth Falcon.