"A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East. The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary code, according to Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025."
"It's assessed that the attacks involved sending via WhatsApp malicious images in the form of DNG (Digital Negative) files, with evidence of LANDFALL samples going all the way back to July 23, 2024. This is based on DNG artifacts bearing names like "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg" and "IMG-20240723-WA0000.jpg." LANDFALL, once installed and executed, acts as a comprehensive spy tool, capable of harvesting sensitive data, including microphone recording, location, photos, contacts, SMS, files, and call logs."
An out-of-bounds write vulnerability in libimagecodec.quram.so (CVE-2025-21042, CVSS 8.8) allowed remote code execution on Samsung Galaxy Android devices and was exploited as a zero-day before Samsung patched it in April 2025. Targets include users in Iraq, Iran, Turkey, and Morocco based on VirusTotal submissions. Attackers delivered LANDFALL spyware via malicious DNG images sent over WhatsApp, with samples dating back to July 23, 2024. LANDFALL harvests microphone audio, location, photos, contacts, SMS, files, and call logs. The exploit chain likely used a zero-click approach. A separate libimagecodec flaw (CVE-2025-21043) was also reported exploited later.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]