BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Samsung Galaxy Zero-Day Exploited by LANDFALL Android Spyware in Mideast

Samsung Galaxy zero-day flaw CVE-2025-21042 exploited to deliver LANDFALL spyware via malicious WhatsApp DNG images targeting Middle East users

  • A critical security flaw (CVE-2025-21042) in Samsung Galaxy Android devices enabled delivery of the LANDFALL spyware via zero-day attacks.
  • The spyware was distributed through malicious WhatsApp images in Digital Negative (DNG) format, targeting users mainly in the Middle East.
  • LANDFALL operates as an advanced espionage tool, extracting data such as microphone recordings, location, and contacts without user interaction.
  • The flaw was patched by Samsung in April 2025, months after exploitation began.
  • Analysis suggests possible connections between LANDFALL and the threat actor Stealth Falcon, though no direct links have been confirmed.

A serious security vulnerability identified as CVE-2025-21042 was exploited in zero-day attacks targeting Samsung Galaxy Android devices. This bug, found in the “libimagecodec.quram.so” component, allowed remote attackers to run arbitrary code. The attacks occurred before the flaw was fixed by Samsung in April 2025, according to Palo Alto Networks Unit 42.

- Advertisement -

The zero-day exploit delivered a sophisticated spyware named LANDFALL through malicious images sent via WhatsApp. The harmful files used the Digital Negative (DNG) format, with samples dating back to July 23, 2024. The campaign mainly targeted users located in Iraq, Iran, Turkey, and Morocco, based on submission data analyzed on VirusTotal.

Once installed, LANDFALL can perform extensive surveillance, including recording audio, tracking location, accessing photos, contacts, SMS, files, and call logs. The exploit likely employed a zero-click method, enabling automatic activation without any user interaction. The infected devices ran a shared library extracted from the DNG files, which also altered the device’s SELinux policy—a Linux-based security architecture—to escalate privileges and maintain persistence.

The spyware communicated with a command-and-control (C2) server over an encrypted HTTPS connection, allowing it to receive commands and secondary payloads. The identity of the attackers remains unknown. However, Unit 42 noted similarities between LANDFALL’s C2 infrastructure and domain registration patterns seen in Stealth Falcon, a known threat actor also called FruityArmor. So far, no direct overlaps in attack clusters have been identified.

In a related development, Samsung revealed in September 2025 another vulnerability, CVE-2025-21043, in the same library was exploited in the wild but unrelated to LANDFALL. Around the same period, security firms noted attacks involving flaws in WhatsApp and Apple operating systems, which have since been patched.

- Advertisement -

LANDFALL’s zero-day intrusion underscores the long lifespan of such exploits in public repositories before their full impact is recognized, as mentioned by Unit 42. The comprehensive nature of the spyware and the stealth of its delivery method highlight continuing risks to mobile security in targeted regions.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Saylor’s ‘Orange Dots’ Signal Fails to Clarify Bitcoin Strategy

Strategy founder Michael Saylor posted a cryptic signal on Sunday, prompting analysts to call...

Crypto’s $2T Crash Awaits BlackRock Shock & FOMO

Bitcoin has stabilized near $60,000 after a downturn erased $2 trillion from the crypto...

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

Must Read

Forex Trading Vs Crypto Trading: Which One Should You Choose?

So you're trying to decide between two types of trading: Forex and cryptocurrency.Forex trading is the big player in the trading world, with lots...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading