Samsung phones under threat from this dangerous new spyware cyberattack - here's how to stay safe

News
By published

LandFall deployed against targets with Samsung phones

Samsung Galaxy S9
Image credit: TechRadar (Image credit: Samsung)
  • CVE-2025-21042 flaw enabled remote code execution on multiple Samsung Galaxy devices
  • Attackers used WhatsApp to deliver LandFall spyware via malformed image files
  • Victims targeted in the Middle East; Stealth Falcon group suspected behind the campaign

Multiple Samsung Galaxy device series were vulnerable to a flaw that allowed threat actors to execute malicious code remotely, experts have warned.

To make matters worse, researchers are saying the flaw was used as a zero-day to target certain individuals in the Middle East with spyware and infostealers.

The bug, tracked as CVE-2025-21042 with a severity rating of 9.8/10 (critical) is described as an out-of-bounds write vulnerability, found in libimagecodec.quram.so prior to SMR Apr-2025 Release 1. Libimagecodec.quram.so is a shared library file that’s part of the image processing framework on Samsung Android devices.

Stealing files and recording audio

According to security researchers from Palo Alto Network’s Unit 42, the bug was used by a malicious entity to deploy the ‘LandFall’ spyware.

The attack includes dropping a malformed .DNG raw image format, with a .ZIP archive attached at the end of the file. The attack vector seems to have been WhatsApp, through which the file was shared.

After being deployed and executed, LandFall fingerprints the device it’s on, and analyzes all of the installed applications.

Its main capabilities include recording via microphone, call recording, location tracking, accessing contacts, SMS messages, call logs, files, and photos, and accessing browser history. It is also quite capable of avoiding being spotted and maintaining persistence on compromised devices.

Multiple Galaxy series of phones are said to be vulnerable: S22, S23, and S24, as well as Z Fold 4 and Z Flip 4. The newest Samsung flagship devices are apparently safe.

The victims seem to be located in Iraq, Iran, Turkey, and Morocco, while the attackers are most likely a group called Stealth Falcon, located in the United Arab Emirates (UAE). The researchers came to this conclusion by looking at LandFall’s C2 infrastructure. Palo Alto urges Samsung users to keep their devices updated and to be mindful of incoming messages, especially those with attachments of any kind.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.