The exploited vulnerability, tracked as CVE-2025-21042 (CVSS score: 8.8), resided in the “libimagecodec.quram.so” component of Samsung Galaxy devices, specifically allowing a remote attacker to execute arbitrary code. Palo Alto Networks Unit 42 confirmed that this flaw was actively used as a zero-day—meaning attacks were happening before the vendor fix—to distribute the LANDFALL spyware. Samsung officially addressed the issue in April 2025, following reports of the in-the-wild exploitation.
The activity, internally designated as CL-UNK-1054, primarily targeted individuals in Iraq, Iran, Turkey, and Morocco, based on analysis of VirusTotal submission data. This zero-day exploitation emerged against the backdrop of a separate but related discovery: Samsung had already disclosed in September 2025 that another vulnerability in the exact same library, CVE-2025-21043 (also CVSS score: 8.8), had also been leveraged in the wild. However, there is no current evidence linking this second flaw to the LANDFALL campaign.
The modus operandi for the attacks is assessed to involve the delivery of malicious images via WhatsApp, specifically in the form of DNG (Digital Negative) files. Artifacts related to the LANDFALL samples date back as far as July 23, 2024, with various malicious DNG files appearing under names resembling typical image files. Researchers noted that samples of the spyware from July 2024 and those from the most recent upload in February 2025 showed no significant functional differences.
Once successfully installed and executed, the LANDFALL spyware transforms the compromised device into a comprehensive surveillance tool. It is highly capable of harvesting a wide array of sensitive information, including microphone recordings, geographical location data, photos, contacts, SMS messages, arbitrary files, and comprehensive call logs.
The spyware is specifically engineered to compromise certain flagship devices from the South Korean electronics manufacturer, including the Samsung Galaxy S22, S23, and S24 series, alongside the Z Fold 4 and Z Flip 4. While Unit 42 speculated that the exploit chain may have utilized a zero-click approach to trigger the vulnerability without any user interaction, they emphasize that there is currently no concrete evidence to confirm this or suggest an underlying security flaw in the WhatsApp application that would enable it.
Reference:
