Full Report
'Precision espionage campaign' began months before the flaw was fixed A previously unknown Android spyware family called LANDFALL exploited a zero-day in Samsung Galaxy devices for nearly a year, installing surveillance code capable of recording calls, tracking locations, and harvesting photos and logs before Samsung finally patched it in April.…
Analysis Summary
# Vulnerability: Zero-Day Exploitation in Samsung Image Processing Library by LANDFALL Spyware
## CVE Details
- CVE ID: CVE-2025-21042 (Primary focus for the LANDFALL campaign)
- CVSS Score: Not explicitly stated, but described as a **critical bug** exploited in a zero-day campaign.
- CWE: Not explicitly stated, but contextually likely related to buffer overflow or improper input validation in image processing.
## Affected Systems
- Products: Samsung Galaxy devices
- Versions: Android 13, Android 14, Android 15, and Android 16.
- Configurations: Any affected Samsung Galaxy device running the specified Android versions.
## Vulnerability Description
CVE-2025-21042 is a critical vulnerability residing within Samsung's image-processing library. This flaw was leveraged for nearly a year (starting around July 2024) by the LANDFALL spyware family. Exploitation likely involves sending a maliciously crafted image (potentially in DNG format, given related findings) to the victim's device. Successful exploitation allows for the installation of surveillance code capable of recording calls, tracking locations, and harvesting photos and logs.
## Exploitation
- Status: **Exploited in the wild** (Used in a precision espionage campaign for nearly a year prior to the patch).
- Complexity: Implied **Low**, as the article suggests a "zero-click" attack vector, requiring no user interaction beyond receiving the malicious file via a messaging application.
- Attack Vector: Network (via messaging application delivery).
## Impact
- Confidentiality: **High** (Allows for call recording, message collection, photo harvesting, and location tracking).
- Integrity: **High** (Underlying system compromise to install persistent spyware).
- Availability: **Medium/Low** (Primary goal is surveillance, though persistent malicious code can impact device stability).
## Remediation
### Patches
- Samsung patched the vulnerability in **April [2025]**. (Specific patch version/build number not provided in the text).
### Workarounds
- No direct workarounds are provided, but given the attack vector, temporarily disabling or restricting access to messaging applications that handle image previews until patched could serve as a temporary, high-effort mitigation.
## Detection
- Indicators of Compromise: Presence of the LANDFALL spyware payload exhibiting capabilities such as recording calls, tracking location, or exfiltrating photos/logs.
- Detection methods and tools: Based on the discovery by Palo Alto Networks Unit 42, security products updated with signatures for the LANDFALL spyware family or indicators related to the exploitation chain (e.g., unusual image processing activity) may detect the compromise.
## References
- Vendor advisories: Samsung Advisory issued in April [2025] (Specific date/link not provided).
- Relevant links - defanged:
- `unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/`
- Related CVEs mentioned alongside the campaign timeline (though not confirmed as part of Landfall itself): CVE-2025-43300, CVE-2025-55177, CVE-2025-21043.
- MITRE ATT&CK reference for potential link: `attack.mitre.org/groups/G0038/` (Stealth Falcon).