Full Report
A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East. The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary
Analysis Summary
# Vulnerability: Out-of-Bounds Write in Samsung Android Image Codec Leading to Arbitrary Code Execution
## CVE Details
- CVE ID: CVE-2025-21042
- CVSS Score: 8.8 (High)
- CWE: OOB Write (Implied by description)
## Affected Systems
- Products: Samsung Galaxy Android Devices (Specific models not detailed, but standard Android OS component)
- Versions: Versions prior to Samsung's April 2025 security update.
- Configurations: Devices susceptible to receiving and processing specially crafted malicious DNG (Digital Negative) image files, potentially via messaging applications like WhatsApp.
## Vulnerability Description
The vulnerability is an **out-of-bounds write flaw** residing in the `libimagecodec.quram.so` component responsible for image decoding. Successful exploitation allows a remote attacker to achieve **arbitrary code execution** on the affected device. The attack chain involved sending a malicious DNG file embedded with a ZIP archive containing an exploit shared object library.
## Exploitation
- Status: **Exploited in the wild** as a zero-day, used to deploy "commercial-grade" Android spyware (LANDFALL).
- Complexity: **Low/Zero-Click** (Implied by the context of WhatsApp delivery without user interaction).
- Attack Vector: **Network** (Delivery via messaging, enabling remote exploitation).
## Impact
- Confidentiality: **High** (Spyware capable of harvesting microphone recordings, photos, contacts, SMS, call logs, and location data).
- Integrity: **High** (Arbitrary code execution, SELinux policy manipulation for persistence).
- Availability: **Medium** (Potential for device instability/denial of service, although persistence was prioritized).
## Remediation
### Patches
- Samsung addressed the vulnerability in their **April 2025 Security Update**. Users should ensure their devices have received and applied the relevant security patches released by Samsung starting April 2025.
### Workarounds
- Given the zero-click nature and exploit delivery via image parsing (DNG file), strong application-layer filtering (e.g., disabling media auto-download in messaging apps, if possible) or blocking the transfer of DNG files could serve as a temporary mitigation until the OS patch is applied.
## Detection
- Indicators of Compromise (IOCs): Presence of LANDFALL spyware components, unusual network beaconing over HTTPS, and artifacts related to DNG files containing embedded ZIP payloads aimed at altering SELinux policy.
- Detection methods and tools: Endpoint Detection and Response (EDR) capable of monitoring library loading from unexpected sources or analyzing communication with known C2 infrastructure associated with threat actors linked to LANDFALL or Stealth Falcon (FruityArmor).
## References
- Vendor Advisories: Samsung Security Update Advisory (April 2025 timeframe).
- Relevant links - defanged:
- hxxps://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/
- hxxps://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04