Today: 8 November 2025
Subscribe
Samsung Galaxy S26 Leak Explosion: Massive Camera Upgrades, Thinner Designs & a Shocking S Pen Twist
 ·  ·  ·  ·  · 

‘Landfall’ spyware abused Samsung zero‑day (CVE‑2025‑21042) to hack Galaxy phones for months — patched in April: What happened and how to stay safe

by
8 November 2025

Published: November 7, 2025

Security researchers have uncovered a previously unknown, commercial‑grade Android spyware operation—dubbed Landfall—that exploited a zero‑day flaw in Samsung Galaxy phones and ran largely undetected for close to a year, with targets concentrated in parts of the Middle East. Samsung fixed the underlying vulnerability in an April 2025 firmware update, but the campaign and its methods are only now coming to light. [1]

What is “Landfall” and how did the hack work?

According to Palo Alto Networks’ Unit 42—whose research underpins today’s coverage—Landfall delivered spyware via malicious image files that abused CVE‑2025‑21042, an out‑of‑bounds write bug in Samsung’s libimagecodec.quram.so library. The booby‑trapped images (Digital Negative, or DNG format) could be sent over messaging apps; Unit 42 says the exploit chain may have been zero‑click (no tap required), though there’s no evidence of an undisclosed WhatsApp bug in this Android campaign. Once processed by the phone, the payload unpacked additional components and modified SELinux policies to expand its data‑stealing reach. [2]

Landfall’s capabilities include microphone recording, location tracking, and exfiltration of photos, messages, contacts, and call logs—the hallmarks of advanced mobile surveillanceware sold to government customers by private‑sector offensive actors. [3]

Who was targeted—and for how long?

Unit 42’s timeline points to first samples appearing in July 2024, with additional uploads through February 2025, suggesting a months‑long operation prior to Samsung’s patch. VirusTotal submissions and national CERT reporting indicate potential targeting in Iraq, Iran, Turkey, and Morocco. Researchers describe the operation as a precision espionage effort, not mass malware distribution. [4]

Which devices and Android versions were affected?

Landfall’s code referenced a range of Galaxy flagships—including S22, S23, S24 and Z Fold 4 / Z Flip 4—and targeted devices running Android 13–15 for CVE‑2025‑21042 (patched in SMR Apr‑2025 Release 1). A related image‑processing flaw, CVE‑2025‑21043, affecting Android 13–16, was separately patched in September 2025 after in‑the‑wild exploitation by spyware operators; Unit 42 notes technical parallels but no direct evidence that 21043 was used in the Landfall samples they analyzed. [5]

How serious is CVE‑2025‑21042?

NVD lists CVE‑2025‑21042 with a CVSS v3.1 score of 8.8 and vectors consistent with remote code execution when a crafted image is processed. That aligns with Unit 42’s finding that malformed DNG files could trigger the bug and launch the spyware loader. Samsung’s bulletin ties the fix to April 2025 firmware and maps the issue to SVE‑2024‑1969. [6]

Any links to known spyware vendors?

Attribution remains unclear. Researchers observed infrastructure and tradecraft overlaps with Stealth Falcon (also known as FruityArmor)—a surveillance outfit previously linked by researchers to operations targeting journalists and dissidents—but stress the similarities are not enough for firm attribution. This fits a broader pattern of private‑sector offensive actors (PSOAs) running bespoke, government‑focused hacking tools. [7]

Why are DNG image bugs suddenly a big deal?

Landfall is part of a 2024–2025 wave of attacks abusing image‑parsing flaws across mobile platforms. In August 2025, Apple patched CVE‑2025‑43300, and Meta/WhatsApp disclosed CVE‑2025‑55177 as part of a chained iOS exploit targeting fewer than 200 users. In September 2025, Samsung fixed CVE‑2025‑21043 in the same image library affected by Landfall’s 21042 exploit. The common thread: carefully crafted image files processed by system libraries can yield zero‑click compromise. [8]

What Samsung users should do now

  • Update immediately. Ensure your Galaxy device shows the latest Security Maintenance Release (SMR)—April 2025 or later for CVE‑2025‑21042, and September 2025 or later for CVE‑2025‑21043. On most devices: Settings → Software update → Download and install. [9]
  • Verify your patch level. Confirm your device’s Android security update level and firmware build are current; Samsung’s advisories list the CVEs and SMR months that include fixes. [10]
  • Harden messaging settings. While no new WhatsApp flaw is implicated on Android here, consider limiting auto‑download of media from unknown senders and keep apps updated from official stores. [11]
  • Enterprise defenders: Review Unit 42’s technical write‑up for IOCs (hashes, network indicators) and detection guidance, and hunt for suspicious image‑processing crashes or anomalous libimagecodec activity around the 2024–early‑2025 window. [12]

Key dates and facts at a glance

  • Sept. 25, 2024: Vulnerability privately reported to Samsung (later assigned CVE‑2025‑21042 / SVE‑2024‑1969). [13]
  • July 2024 – Feb. 2025: Landfall samples uploaded to VirusTotal; targeting observed across parts of the Middle East/North Africa. [14]
  • April 2025: Samsung patches CVE‑2025‑21042 in the SMR Apr‑2025 update. [15]
  • Aug.–Sept. 2025: Parallel iOS/WhatsApp exploit chain disclosed; Samsung patches CVE‑2025‑21043 (same library). [16]
  • Nov. 7, 2025: Unit 42 publishes research; outlets confirm the campaign’s scope and targets. [17]

The bottom line

Landfall underscores how quietly weaponized media files can turn a phone into a live microphone and tracking device—without a tap. If you use a Samsung Galaxy device, the fix has been out for months, but protection only comes once you install it. For organizations with high‑risk users, treat image‑parsing RCE on mobile as a priority threat category and ensure rapid SMR adoption, mobile EDR coverage, and targeted threat hunting that includes DNG‑based exploit chains. [18]

Sources, November 7, 2025 coverage and primary research: Unit 42 technical report; TechCrunch; The Hacker News; SecurityWeek; The Record; The Register; Samsung advisories / NVD. [19]

Your Android is SECRETLY sharing your data! Turn these OFF immediately to protect yourself! #android
Watch this video on YouTube.

References

1. techcrunch.com, 2. unit42.paloaltonetworks.com, 3. unit42.paloaltonetworks.com, 4. unit42.paloaltonetworks.com, 5. thehackernews.com, 6. nvd.nist.gov, 7. techcrunch.com, 8. unit42.paloaltonetworks.com, 9. security.samsungmobile.com, 10. security.samsungmobile.com, 11. thehackernews.com, 12. unit42.paloaltonetworks.com, 13. unit42.paloaltonetworks.com, 14. unit42.paloaltonetworks.com, 15. security.samsungmobile.com, 16. unit42.paloaltonetworks.com, 17. unit42.paloaltonetworks.com, 18. thehackernews.com, 19. unit42.paloaltonetworks.com

Tags:

Marcin Frąckiewicz Latest posts

CEO of TS2 Space and founder of TS2.tech. Expert in satellites, telecommunications, and emerging technologies, covering trends in space, AI, and connectivity.

  1. Ondas Holdings (ONDS) Jumps as Lock‑Up Expires; Zacks Names ‘Bull of the Day’ and Fresh Fund Buying Sets the Stage Ahead of Nov. 13 Earnings
  2. Pfizer Clinches $10B Takeover of Metsera as Novo Nordisk Bows Out — Full Terms, Timeline, and What It Means (Nov. 8, 2025)
  3. Pfizer (PFE) Clinches $10 Billion Metsera Deal as Novo Nordisk Exits—What It Means for the Obesity Drug Race (Nov. 8, 2025)
  4. Eos Energy (EOSE) News Today: Price Target Uplift, Fresh Downgrade, and 70% Warrant Surge — What’s Moving the Stock (Nov 8, 2025)

Stock Market Today

  • Week in Review: Nasdaq's Worst Week Since April, Three Trades and Earnings
    November 8, 2025, 12:56 PM EST. Nasdaq posts its worst week since April, down about 3%, with the S&P 500 off 1.6%. Investors fret over eye-watering AI valuations as Nvidia tumbled, erasing its $5 trillion market-cap halo amid China reopening doubts. A government shutdown hangover compounds the pullback, with October job cuts at a 22-year high and a weak University of Michigan sentiment reading underscoring softening demand. In response, the Investing Club executed three trades: adding to Starbucks on a perceived overreaction to consumer fears and a bright long-term turnaround story under Brian Niccol; boosting Boeing after a flawed quarter presented a buying opportunity; and others discussed amid a volatile tape. The stance remains: own the winners, don't trade, as data and policy swirl.
  • Evercore ISI Raises Gen Digital Price Target, Signaling Upbeat GEN Outlook
    November 8, 2025, 12:54 PM EST. Evercore ISI boosted Gen Digital's price objective from $35.00 to $37.00 and reiterated an outperform rating, implying about 46.97% upside from the prior close. The note comes as other firms issue fresh views: B. Riley initiated coverage with a Buy rating and a $46 target; Barclays, Wells Fargo, RBC, and Jefferies issued varied calls (targets ranging from the low to mid $40s with ratings from equal weight to hold). Market consensus from MarketBeat skewed to a Moderate Buy with an average target of about $36. Gen Digital traded around $25.18, down 1.1% on the session, with a robust quarter: EPS $0.62 vs $0.61 est, revenue $1.22B vs $1.20B estimate, and strong YoY growth of 25.3%. FY/Q3 2026 guidance sits at $2.51-$2.56 and $0.62-$0.64 respectively.
  • Evercore ISI Cuts Doximity Target to $70; Mixed Analyst Views on DOCS
    November 8, 2025, 12:53 PM EST. Evercore ISI cut Doximity's target price from $81 to $70, while maintaining an outperform rating, implying about a 29.89% upside from current levels. The call follows a chorus of mixed analyst views on DOCS: Wells Fargo lifted its target to $62 with an equal weight stance; Goldman Sachs issued a $64 target with a sell rating; Raymond James set a $75 target with a buy stance; Zacks moved to hold; Truist raised its objective to $61 and rated it hold. Friday data show DOCS trading near the low-$50s (around $53.89) on heavier volume, with the stock near its 50-day moving average and above the 200-day moving average. An insider sale added another wrinkle to the week's news.
  • Barclays Lifts Datadog Price Target to $215 as Analysts Turn Bullish on DDOG
    November 8, 2025, 12:51 PM EST. Barclays raised its price target for Datadog (DDOG) from $170 to $215, signaling a potential upside of about 16%. The firm maintains an overweight rating as part of a broader raft of positive research on the cloud-monitoring play. Other analysts chimed in: Jefferies lifted their target to $220 with a Buy rating; Oppenheimer moved to $195 with an Outperform; TD Cowen lifted to $180 with a Buy; Wells Fargo initiated coverage at an Overweight with a $190 objective; Stifel set $205. Market data show a mixed tape for DDOG, with the stock around $185 after a mid-day move, and a robust 1-year rally. Datadog posted solid quarterly results, beating consensus on EPS and revenue, and guiding for 2025 with EPS around $2.00.
  • Wedbush Lifts Sandisk (SNDK) Target to $260, Upbeat Outlook
    November 8, 2025, 12:48 PM EST. Wedbush raised its target on Sandisk (NASDAQ:SNDK) from $220 to $260, backing an outperform stance and signaling about 25% upside. The broader broker view remains mixed: Mizuho at $215 (Outperform), Cantor Fitzgerald at $300 (Overweight), and Citigroup lifting targets to $150 after a Buy call, while Weiss Ratings remains Sell and Zacks upgrades to Hold. Trading around $207.90, Sandisk posted EPS of $1.22 on revenue of $2.31B, up 22.6% year over year. The stock sits above the 50-day and near the 200-day moving averages, with a MarketBeat consensus of Moderate Buy and a broad array of targets that reflect divergent earnings expectations.
Android Auto gets Gemini today (Nov 7, 2025): Live support begins rolling out, what’s new in v15.4, and what’s coming next
Previous Story

Android Auto gets Gemini today (Nov 7, 2025): Live support begins rolling out, what’s new in v15.4, and what’s coming next

Sharper Black Hole Images Could Put Einstein’s Gravity to the Test: New Study Maps What Future Telescopes Must See (7 Nov 2025)
Next Story

Brighter Than 10 Trillion Suns: Record Black Hole Flare 10 Billion Light‑Years Away

Related Articles

Go toTop