A vulnerability in Samsung phones has once again raised alarms in the cybersecurity community. Identified as CVE-2025-21042, this severe flaw in image processing was exploited to install commercial-grade spyware on Android devices, possibly for government surveillance purposes.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, ordering all federal agencies to patch it by December. The urgency stems from its confirmed use to deploy LANDFALL spyware, an advanced tool capable of capturing calls, messages, and sensitive data without the user’s knowledge.
The flaw resides in libimagecodec.quram.so, a library responsible for image processing on Samsung Galaxy devices. It is an out-of-bounds write vulnerability, allowing attackers to remotely execute arbitrary code and fully compromise the victim’s phone.
Although Samsung released a patch in April 2025, researchers discovered that the flaw had been actively exploited months earlier. A report by Palo Alto Networks revealed that the vulnerability was part of a zero-click exploit chain, requiring no user interaction. Malicious images were crafted specifically to trigger the attack.
This approach is similar to the zero-day exploits found in iOS and WhatsApp in 2025, where DNG (Digital Negative) images were used to deliver malware. In both cases, attackers leveraged weaknesses in image parsing mechanisms to silently infiltrate devices.
What makes this vulnerability particularly dangerous is its zero-click nature—the user doesn’t have to do anything. Receiving a seemingly normal image, e.g. via WhatsApp or other messaging apps, is enough for the exploit to activate automatically.
Researchers detailed that DNG images used in the attacks contained a hidden ZIP file within their structure. This file included .so libraries (shared objects) which, once extracted, installed LANDFALL spyware on the device.
The result: the attacker gained complete access to the phone—activating the microphone, recording calls, stealing messages, contacts, photos, location data, and all without triggering security alerts.
Learn more: New Android Malware Disguises Itself as Russian FSB Antivirus
LANDFALL is a modular spyware designed specifically for Samsung Galaxy devices. Its structure allows components to be added or removed based on the attacker's needs.
Its confirmed capabilities include:
According to Palo Alto Networks, the loader behavior of LANDFALL suggests it is professionally developed commercial spyware, possibly sold to governments or private entities.
Analysis of the malicious files on VirusTotal revealed that the primary victims were located in Iran, Turkey, and Morocco.
Turkey’s National CERT confirmed the use of malicious IPs tied to Command & Control (C2) servers associated with APT groups focused on mobile surveillance.
Researchers also noted similarities between LANDFALL’s infrastructure and Stealth Falcon, a group known for targeting journalists, activists, and human rights defenders in the UAE. However, there is no conclusive evidence to attribute this campaign to them.
This raises the possibility that LANDFALL is the work of a cyber mercenary group—a growing trend where private vendors develop and sell surveillance tools to governments or corporations seeking covert monitoring capabilities.
Similar titles: How to Detect and Remove Spyware Apps on Android
Although this vulnerability was patched in April 2025, many users have not yet updated. At TecnetOne, we recommend the following steps to stay protected:
This incident with Samsung proves that zero-click attacks and commercial-grade spyware are no longer isolated. They’re part of a growing trend in modern espionage.
Malicious actors have learned to exploit vulnerabilities in core system components like image processing libraries, letting them infect devices silently, without any user interaction.
Moreover, the line between cybercrime and state-level espionage is increasingly blurred. Tools like LANDFALL show the same precision and stealth as those used by intelligence agencies.
For companies and public institutions, the message is clear: mobile cybersecurity must be a priority. It’s no longer enough to protect servers or networks—personal and work devices are now the weakest link.
The CVE-2025-21042 vulnerability in Samsung devices enabled attackers to deploy advanced spyware via crafted images, requiring no user interaction. Though a patch is now available, the exploit chain shows how a simple photo can be a gateway to digital espionage.
At TecnetOne, we believe prevention and tech education are the best defense. Keep your systems updated, be cautious with unknown files, and remember: every security patch could be the barrier between protection and compromise.