Today: 8 November 2025
Subscribe
Samsung Galaxy S26 Leak Explosion: Massive Camera Upgrades, Thinner Designs & a Shocking S Pen Twist
 ·  ·  ·  ·  · 

‘Landfall’ spyware abused Samsung zero‑day (CVE‑2025‑21042) to hack Galaxy phones for months — patched in April: What happened and how to stay safe

by
8 November 2025

Published: November 7, 2025

Security researchers have uncovered a previously unknown, commercial‑grade Android spyware operation—dubbed Landfall—that exploited a zero‑day flaw in Samsung Galaxy phones and ran largely undetected for close to a year, with targets concentrated in parts of the Middle East. Samsung fixed the underlying vulnerability in an April 2025 firmware update, but the campaign and its methods are only now coming to light. [1]

What is “Landfall” and how did the hack work?

According to Palo Alto Networks’ Unit 42—whose research underpins today’s coverage—Landfall delivered spyware via malicious image files that abused CVE‑2025‑21042, an out‑of‑bounds write bug in Samsung’s libimagecodec.quram.so library. The booby‑trapped images (Digital Negative, or DNG format) could be sent over messaging apps; Unit 42 says the exploit chain may have been zero‑click (no tap required), though there’s no evidence of an undisclosed WhatsApp bug in this Android campaign. Once processed by the phone, the payload unpacked additional components and modified SELinux policies to expand its data‑stealing reach. [2]

Landfall’s capabilities include microphone recording, location tracking, and exfiltration of photos, messages, contacts, and call logs—the hallmarks of advanced mobile surveillanceware sold to government customers by private‑sector offensive actors. [3]

Who was targeted—and for how long?

Unit 42’s timeline points to first samples appearing in July 2024, with additional uploads through February 2025, suggesting a months‑long operation prior to Samsung’s patch. VirusTotal submissions and national CERT reporting indicate potential targeting in Iraq, Iran, Turkey, and Morocco. Researchers describe the operation as a precision espionage effort, not mass malware distribution. [4]

Which devices and Android versions were affected?

Landfall’s code referenced a range of Galaxy flagships—including S22, S23, S24 and Z Fold 4 / Z Flip 4—and targeted devices running Android 13–15 for CVE‑2025‑21042 (patched in SMR Apr‑2025 Release 1). A related image‑processing flaw, CVE‑2025‑21043, affecting Android 13–16, was separately patched in September 2025 after in‑the‑wild exploitation by spyware operators; Unit 42 notes technical parallels but no direct evidence that 21043 was used in the Landfall samples they analyzed. [5]

How serious is CVE‑2025‑21042?

NVD lists CVE‑2025‑21042 with a CVSS v3.1 score of 8.8 and vectors consistent with remote code execution when a crafted image is processed. That aligns with Unit 42’s finding that malformed DNG files could trigger the bug and launch the spyware loader. Samsung’s bulletin ties the fix to April 2025 firmware and maps the issue to SVE‑2024‑1969. [6]

Any links to known spyware vendors?

Attribution remains unclear. Researchers observed infrastructure and tradecraft overlaps with Stealth Falcon (also known as FruityArmor)—a surveillance outfit previously linked by researchers to operations targeting journalists and dissidents—but stress the similarities are not enough for firm attribution. This fits a broader pattern of private‑sector offensive actors (PSOAs) running bespoke, government‑focused hacking tools. [7]

Why are DNG image bugs suddenly a big deal?

Landfall is part of a 2024–2025 wave of attacks abusing image‑parsing flaws across mobile platforms. In August 2025, Apple patched CVE‑2025‑43300, and Meta/WhatsApp disclosed CVE‑2025‑55177 as part of a chained iOS exploit targeting fewer than 200 users. In September 2025, Samsung fixed CVE‑2025‑21043 in the same image library affected by Landfall’s 21042 exploit. The common thread: carefully crafted image files processed by system libraries can yield zero‑click compromise. [8]

What Samsung users should do now

  • Update immediately. Ensure your Galaxy device shows the latest Security Maintenance Release (SMR)—April 2025 or later for CVE‑2025‑21042, and September 2025 or later for CVE‑2025‑21043. On most devices: Settings → Software update → Download and install. [9]
  • Verify your patch level. Confirm your device’s Android security update level and firmware build are current; Samsung’s advisories list the CVEs and SMR months that include fixes. [10]
  • Harden messaging settings. While no new WhatsApp flaw is implicated on Android here, consider limiting auto‑download of media from unknown senders and keep apps updated from official stores. [11]
  • Enterprise defenders: Review Unit 42’s technical write‑up for IOCs (hashes, network indicators) and detection guidance, and hunt for suspicious image‑processing crashes or anomalous libimagecodec activity around the 2024–early‑2025 window. [12]

Key dates and facts at a glance

  • Sept. 25, 2024: Vulnerability privately reported to Samsung (later assigned CVE‑2025‑21042 / SVE‑2024‑1969). [13]
  • July 2024 – Feb. 2025: Landfall samples uploaded to VirusTotal; targeting observed across parts of the Middle East/North Africa. [14]
  • April 2025: Samsung patches CVE‑2025‑21042 in the SMR Apr‑2025 update. [15]
  • Aug.–Sept. 2025: Parallel iOS/WhatsApp exploit chain disclosed; Samsung patches CVE‑2025‑21043 (same library). [16]
  • Nov. 7, 2025: Unit 42 publishes research; outlets confirm the campaign’s scope and targets. [17]

The bottom line

Landfall underscores how quietly weaponized media files can turn a phone into a live microphone and tracking device—without a tap. If you use a Samsung Galaxy device, the fix has been out for months, but protection only comes once you install it. For organizations with high‑risk users, treat image‑parsing RCE on mobile as a priority threat category and ensure rapid SMR adoption, mobile EDR coverage, and targeted threat hunting that includes DNG‑based exploit chains. [18]

Sources, November 7, 2025 coverage and primary research: Unit 42 technical report; TechCrunch; The Hacker News; SecurityWeek; The Record; The Register; Samsung advisories / NVD. [19]

Your Android is SECRETLY sharing your data! Turn these OFF immediately to protect yourself! #android
Watch this video on YouTube.

References

1. techcrunch.com, 2. unit42.paloaltonetworks.com, 3. unit42.paloaltonetworks.com, 4. unit42.paloaltonetworks.com, 5. thehackernews.com, 6. nvd.nist.gov, 7. techcrunch.com, 8. unit42.paloaltonetworks.com, 9. security.samsungmobile.com, 10. security.samsungmobile.com, 11. thehackernews.com, 12. unit42.paloaltonetworks.com, 13. unit42.paloaltonetworks.com, 14. unit42.paloaltonetworks.com, 15. security.samsungmobile.com, 16. unit42.paloaltonetworks.com, 17. unit42.paloaltonetworks.com, 18. thehackernews.com, 19. unit42.paloaltonetworks.com

Tags:

Marcin Frąckiewicz Latest posts

CEO of TS2 Space and founder of TS2.tech. Expert in satellites, telecommunications, and emerging technologies, covering trends in space, AI, and connectivity.

  1. Samsung Confirms 10.7Gbps LPDDR6 and 14.8GB/s Gen5 PM9E1 SSD Ahead of CES 2026
  2. Brighter Than 10 Trillion Suns: Record Black Hole Flare 10 Billion Light‑Years Away
  3. ‘Landfall’ spyware abused Samsung zero‑day (CVE‑2025‑21042) to hack Galaxy phones for months — patched in April: What happened and how to stay safe
  4. Android Auto gets Gemini today (Nov 7, 2025): Live support begins rolling out, what’s new in v15.4, and what’s coming next

Stock Market Today

  • CoreWeave: AI infrastructure darling or debt-fueled bubble on Wall Street
    November 8, 2025, 10:54 AM EST. CoreWeave, a major provider of AI infrastructure power, has become a stock-market darling as its data-centre network expands to serve giants like Microsoft and OpenAI. Yet the company sits atop a mountain of debt and mounting lease obligations that threaten near-term cash flow. With about $11 billion of debt and $1.9 billion in 2024 revenue, 2025 guidance hinges on jumbo capex (expected at $20-$23 billion) and long-term leases totaling roughly $34 billion through 2028. The balance sheet also shows current liabilities of $7.6 billion, raising the risk that unprofitable customers or construction delays could trigger cancellations or prepayments. In essence, CoreWeave's earnings trajectory and leverage may be a bellwether for the AI-infrastructure boom and its funding needs.
  • PENN Entertainment Stock Faces Mixed Analyst Moves After Citizens Jmp Cuts Target
    November 8, 2025, 10:42 AM EST. Citizens Jmp trimmed PENN Entertainment's price objective from $25.00 to $24.00, with a projected upside around 59% from Friday's close, while maintaining a market outperform rating. Other analysts issued mixed signals: Stifel Nicolaus upgraded PENN to Buy and lifted the target from $19 to $21; Citi reiterated Outperform; Barclays cut their target to $22 and kept an Overweight rating; Weiss Ratings reiterated a Sell. Market data show ten Buy, seven Hold, two Sell among analysts; MarketBeat's average rating is Hold with a $22.56 target. PENN traded up to $15.07 on Friday with volume of 612,947. The 52-week range is $13.25-$23.08; the 50/200-day moving averages are $18.33 and $17.47. Q earnings: -0.22 vs -0.10 est; revenue $1.72B, +4.8% YoY.
  • Market momentum breaks as S&P 500 slides below 50-day average; AI stocks fade and shutdown adds pressure
    November 8, 2025, 10:40 AM EST. Market momentum cooled Friday as the S&P 500 dropped below its 50-day moving average for the first time since April, with the Nasdaq Composite slipping on AI stocks losses and the Dow ticking higher on late-session strength. Early in the day, a broad slide gave way to a fractional rally, leaving all three indices down for the week. Investors faced renewed pressure from the U.S. government shutdown, weak consumer sentiment and a dour job-market backdrop. The Senate's stopgap talks aimed at reopening the government offered little solace as the payroll data blackout continued and flight disruptions mounted. Some traders rotated into value stocks despite an ongoing AI rally, suggesting caution about the near-term path for equities amid policy uncertainty and a tethered economy.
  • Realty Income Announces New Stock Sales Agreement to Raise Up to 150 Million Shares
    November 8, 2025, 10:34 AM EST. Realty Income Corporation (ticker O) announced on November 7, 2025 a new stock sales agreement with multiple banks to offer and sell up to 150 million shares of its common stock, replacing its prior program. The goal is to raise capital for general corporate purposes including debt repayment, property development, and potential acquisitions, thereby strengthening financial flexibility and growth potential. The latest analyst view is Hold with a $60.00 target, while Spark's AI Analyst rates the stock as Outperform. The company's strong cash flow and attractive dividend yield support its valuation despite near-term technicals showing bearish momentum. Management's emphasis on European investments and higher guidance could bolster the valuation and long-term growth story for Realty Income (O).
  • EPAM Systems Q3 2025 Earnings: Analysts Lift 2026 EPS Outlook Amid Slower Revenue Growth
    November 8, 2025, 10:32 AM EST. EPAM Systems, Inc. (NYSE: EPAM) jumped about 7.2% to around $175 after Q3. Revenues of $1.4 billion were in line with estimates, while statutory earnings of $1.91 per share missed by about 2.7%. Looking ahead, EPAM's 18-analyst consensus calls for 2026 revenues of $5.82 billion and EPS of $8.69, about 30% higher than today's level and above prior estimates of $8.46. The price target remains $207, within a $160-$255 range. The long-run outlook shows slower top-line growth (about 7.8% annually to 2026 vs 11% in the past five years), yet the EPS outlook has been upgraded, signaling renewed profitability optimism despite a moderating revenue trajectory.
Android Auto gets Gemini today (Nov 7, 2025): Live support begins rolling out, what’s new in v15.4, and what’s coming next
Previous Story

Android Auto gets Gemini today (Nov 7, 2025): Live support begins rolling out, what’s new in v15.4, and what’s coming next

Sharper Black Hole Images Could Put Einstein’s Gravity to the Test: New Study Maps What Future Telescopes Must See (7 Nov 2025)
Next Story

Brighter Than 10 Trillion Suns: Record Black Hole Flare 10 Billion Light‑Years Away

Related Articles

Go toTop