U.S. CISA adds Samsung mobile devices flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Samsung mobile devices flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Samsung mobile devices flaw, tracked as CVE-2025-21042  (CVSS score of 8.8), to its Known Exploited Vulnerabilities (KEV) catalog.

The now-patched Samsung Galaxy flaw CVE-2025-21042 was exploited as a zero-day to deploy LANDFALL spyware in targeted attacks in the Middle East.

“Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library.” reads the report published by Palo Alto Networks Unit 42. “The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.”

The researchers confirmed that the vulnerability was actively exploited in the wild months before before Samsung patched it in April 2025.

The LANDFALL campaign, tracked as CL-UNK-1054, hid malware in DNG image files sent via WhatsApp. LANDFALL is Android spyware targeting Samsung Galaxy devices in the Middle East.

The malware enabled zero-click surveillance recording audio, tracking location, and stealing data. The campaign, active for months, shared tactics and infrastructure with Middle Eastern commercial spyware operations, suggesting links to private-sector offensive actors (aka PSOAs).

Samsung disclosed in Sept 2025 that a separate image-library flaw, tracked as CVE-2025-21043, had been exploited in the wild, but researchers found no evidence that LANDFALL used that bug. LANDFALL campaigns delivered malicious DNG images, often via WhatsApp, and researchers traced samples back to at least July 23, 2024 (file names like IMG-20240723-WA0000.jpg). The spyware exploited a Samsung zero-day (CVE-2025-21042) in a likely zero-click chain to install itself without user interaction. Once active,

The researchers uncovered the campaign while investigating malformed DNG image files.

“The malformed DNG image files we discovered have an embedded ZIP archive appended to the end of the file. Figure 1 shows one of these samples in a hex editor, indicating where the ZIP archive content begins near the end of the file.” continues the report. “Our analysis indicates these DNG files exploit CVE-2025-21042, a vulnerability in Samsung’s image-processing library libimagecodec.quram.so that Samsung patched in April 2025. The exploit extracts shared object library (.so) files from the embedded ZIP archive to run LANDFALL spyware. Figure 2 below shows a flowchart for this spyware.”

The payload drops two components: b.so, the main backdoor (“Bridge Head”), and l.so, a SELinux policy manipulator granting root privileges and persistence.

Once deployed, LANDFALL can record calls and audio, exfiltrate photos, messages, files, and system data, and monitor WhatsApp activity. It employs advanced evasion techniques like debugger and framework detection, SELinux modification, and certificate pinning for secure C2 over HTTPS.

The spyware targets flagship models (Galaxy S22–S24, Fold4, Flip4) and communicates with six known C2 servers across Europe. The researchers link it to a broader wave of DNG-based zero-click exploits affecting both Android and iOS platforms, underscoring the growing threat of image-processing vulnerabilities in mobile espionage.

The analysis of VirusTotal submission data revealed that potential targets of the campaign are in Iraq, Iran, Turkey, and Morocco.

The researchers are not able to attribute the campaign to a specific threat actor, however, Unit 42 researchers found its C2 infrastructure and domain patterns similar to those of Stealth Falcon (aka FruityArmor), though no direct links have been confirmed as of October 2025.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by December 1st, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)