The vulnerability stems from an out-of-bounds write flaw in the libimagecodec.quram.so library, a core component for image processing on Samsung Android devices running versions 13 and later.
Classified under CWE-787, it allows attackers to corrupt memory and execute arbitrary code by sending specially crafted image files, such as malformed DNG formats, often delivered via messaging apps like WhatsApp.
Security researchers from Palo Alto Networks’ Unit 42 revealed that this zero-day was exploited as early as July 2024 to deploy a sophisticated Android spyware known as LANDFALL in targeted intrusions across the Middle East, including regions in Iraq, Iran, Turkey, and Morocco.
LANDFALL, a commercial-grade spyware, grants attackers extensive surveillance capabilities once installed on vulnerable Samsung flagships like the Galaxy S22, S23, S24 series, Z Fold 4, and Z Flip 4.
The malware can access browsing history, record calls and ambient audio, track precise location data, and exfiltrate sensitive information, including photos, contacts, SMS messages, call logs, and files.
This zero-click exploitation chain requiring no user action beyond receiving the malicious image bypasses typical defenses, making it ideal for espionage by private-sector offensive actors (PSOAs) or state-sponsored groups.
The campaign, tracked as CL-UNK-1054, shares infrastructure with known Middle Eastern spyware operations and evaded detection for months before Samsung’s April 2025 patch.
Initially reported by Meta and WhatsApp security teams, the flaw was addressed in Samsung’s April 2025 security update, but CISA’s KEV inclusion confirms persistent exploitation attempts post-patch, possibly through unpatched legacy devices.
A related vulnerability, CVE-2025-21043, in the same library was similarly exploited and patched in September 2025, revealing a pattern of weaknesses in Samsung’s image handling.
Organizations and users must prioritize mitigation to curb these threats. Federal agencies are mandated to apply vendor patches immediately or discontinue use of affected products per BOD 22-01 guidance.
Samsung users should update devices via Settings > Software Update, enable auto-updates, and avoid opening suspicious images from unknown sources.
Enterprises deploying Samsung devices in sensitive environments should enforce mobile device management (MDM) policies, segment networks, and monitor for anomalous behavior, such as unauthorized data access.
While not yet linked to ransomware, the RCE nature of CVE-2025-21042 could facilitate broader attacks, including data theft or lateral movement into corporate networks.
This incident highlights the fragility of mobile supply chains and the need for vigilant vulnerability management.
As threat actors increasingly target everyday devices, staying ahead of zero-days like this remains crucial for safeguarding privacy and security. (Word count:nt: 412)
