Samsung Mobile libimagecodec Out-of-Bounds Write (LANDFALL Spyware)

Overview

CVE-2025-21042 is a critical out-of-bounds write in libimagecodec.quram.so, the closed-source Quram image-parsing library that Samsung ships on Galaxy devices for decoding image formats. On builds prior to the SMR (Security Maintenance Release) April 2025 Release 1, a remote attacker can execute arbitrary code by getting the device to process a maliciously crafted image, with no user interaction required for the underlying decode. Because image parsing on mobile platforms is routinely triggered by messaging apps generating previews and thumbnails, the vulnerability is reachable in a near-zero-click fashion.

The flaw was exploited in the wild as part of LANDFALL, a commercial-grade Android spyware operation documented by Palo Alto Networks Unit 42 that targeted Samsung Galaxy users in the Middle East. Attackers delivered malformed DNG (Digital Negative) image files, reportedly through WhatsApp, with the image embedding both exploit code and an archived payload. Samsung patched the issue in its April 2025 maintenance release, and CISA later added the CVE to its Known Exploited Vulnerabilities catalog on November 10, 2025 with a remediation deadline of December 1, 2025.

Technical Details

The Quram codec mishandles bounds during the parsing of crafted image data, leading to a write past the end of an allocated buffer (CWE-787). By precisely shaping the malformed image, the attacker controls the size or contents of the overflowing write, corrupting adjacent heap structures and steering execution toward attacker-controlled code within the context of the process that performed the decode. Image decoders are a perennial high-value target precisely because they parse untrusted, attacker-supplied data deep inside privileged media pipelines.

NVD assigns a base score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vector reflects a network-reachable attack with low complexity, no privileges, and crucially no user interaction, combined with high impact to confidentiality, integrity, and availability. The UI:None rating is what makes this so dangerous: a target need not tap or open anything beyond receiving the malicious image, since automatic media handling can trigger the vulnerable code path. The fix is delivered through SMR Apr-2025 Release 1 (the 2025-04-01 / April 2025 Samsung patch level) and later.

Impact

• Remote, near-zero-click arbitrary code execution on affected Samsung Galaxy devices via a crafted image.
• Full compromise of the targeted handset, enabling deployment of the LANDFALL spyware implant with extensive surveillance capabilities.
• High impact to confidentiality, integrity, and availability of all data on the device.
• Real-world use in targeted commercial-spyware operations against individuals, with delivery via mainstream messaging apps.

Mitigation

1. Apply the Samsung security update corresponding to the SMR April 2025 Release 1 (security patch level 2025-04-01) or any later monthly patch level on all affected Galaxy devices.
2. Verify the device security patch level under Settings > About phone > Software information > Android security update; it must read 2025-04-01 or newer.
3. For fleets, enforce the minimum patch level through your mobile device management (MDM) platform and quarantine or block devices that cannot reach it.
4. Retire or replace Galaxy models that no longer receive Samsung security maintenance updates, since they cannot be remediated.
5. Federal Civilian Executive Branch agencies were required to remediate by December 1, 2025 under CISA BOD 22-01; treat that as the baseline patch deadline.

Detection

Detection on mobile endpoints is constrained compared with desktop or server environments, so the foundation is patch-level assurance: use MDM reporting to inventory the Android security patch level of every Samsung device and flag any reporting a level earlier than 2025-04-01 as exposed. Cross-reference the device model against Samsung's list of supported models to ensure the patch is even available; out-of-support handsets are a standing risk that inventory alone will surface.

For active-compromise hunting, draw on the LANDFALL indicators of compromise published by Palo Alto Networks Unit 42, which include malicious DNG sample hashes and the spyware's command-and-control infrastructure. Network detection at the perimeter or via mobile threat-defense agents should alert on connections to those C2 domains and IP addresses. Because the initial exploit arrives as an image over a messaging app, organizations that can inspect mobile traffic or that operate mobile threat-defense tooling should watch for anomalous DNG or other image files of unusual size or structure being delivered to high-value users.

On-device behavioral signals of a successful LANDFALL infection include unexpected new processes or files in app-private storage, abnormal battery and data consumption consistent with surveillance activity, and requests for sensitive permissions outside normal app behavior. Mobile threat-defense products that perform on-device integrity checks can flag the implant's components if signatures are available. Given the targeted, espionage-oriented nature of this campaign, any confirmed hit should be treated as a high-severity intrusion: preserve the device for forensic imaging where possible, rotate credentials and tokens that may have been exposed, and review the affected user's recent messaging activity for the delivery vector. Encourage at-risk users (journalists, activists, executives) to enable platform hardening features and to keep automatic media download disabled in messaging apps as a defense-in-depth measure.