The security threat centers on a critical zero-click vulnerability identified as CVE-2025-21042, an out-of-bounds write flaw in the Samsung Galaxy Android devices' libimagecodec.quram.so library. This flaw enables remote attackers to execute arbitrary code without requiring any user interaction, making it highly dangerous. Exploitation occurs through maliciously crafted Digital Negative (DNG) image files sent via WhatsApp, which contain embedded ZIP archives with shared object libraries. These libraries, once extracted and executed, deploy the LANDFALL spyware, a commercial-grade Android malware capable of comprehensive surveillance including microphone recording, location tracking, photo and contact theft, SMS and call log interception, and file exfiltration. The spyware also manipulates the device's SELinux policy to gain elevated permissions and maintain persistence. Communication with command-and-control (C2) servers over HTTPS allows the malware to receive additional payloads and instructions. The campaign, tracked as CL-UNK-1054, was active from at least July 2024 until Samsung patched the vulnerability in April 2025. The attacks primarily targeted users in Middle Eastern countries such as Iraq, Iran, Turkey, and Morocco, but the vulnerability affects all Samsung Galaxy devices running the affected software. The zero-click nature of the exploit means victims do not need to open or interact with the malicious content, significantly increasing the risk of undetected compromise. The LANDFALL spyware's infrastructure shows some overlap with known threat actor Stealth Falcon, although no direct attribution has been confirmed. This incident underscores the sophistication and persistence of modern mobile spyware campaigns and the critical importance of timely patching and threat monitoring.

For European organizations, the exploitation of this vulnerability could lead to severe confidentiality breaches, especially for entities using Samsung Galaxy devices for sensitive communications. The spyware's capabilities to record audio, track location, and exfiltrate personal and corporate data pose significant risks to privacy, intellectual property, and operational security. Given the zero-click nature, traditional user awareness defenses are ineffective, increasing the likelihood of undetected infiltration. The persistence mechanisms and C2 communication enable long-term espionage campaigns, potentially compromising critical infrastructure, government communications, and corporate secrets. The impact extends beyond individual users to organizational networks if infected devices are connected to corporate resources. Furthermore, the use of WhatsApp as an infection vector leverages a widely trusted communication platform, complicating detection and response efforts. European organizations with employees or partners in affected regions or those with geopolitical interests in the Middle East may face targeted attacks leveraging this exploit. The incident also highlights supply chain risks associated with mobile device vulnerabilities and the need for robust mobile device management and security controls.

European organizations should immediately ensure all Samsung Galaxy devices are updated with the latest security patches released by Samsung in April 2025 or later. Mobile device management (MDM) solutions should enforce patch compliance and restrict installation of untrusted applications. Network monitoring should be enhanced to detect anomalous HTTPS traffic patterns indicative of C2 communication from LANDFALL spyware. Endpoint detection and response (EDR) tools with mobile capabilities should be deployed to identify suspicious processes and SELinux policy modifications. Organizations should educate users about the risks of receiving unsolicited multimedia messages, even though this is a zero-click exploit, and encourage reporting of unusual device behavior. WhatsApp usage policies may need review, including restricting the reception of DNG image files or implementing advanced content filtering. Incident response plans should include procedures for forensic analysis of mobile devices suspected of compromise. Collaboration with threat intelligence providers to monitor for indicators of compromise related to LANDFALL and associated infrastructure is advised. Finally, organizations should consider network segmentation and least privilege principles to limit potential lateral movement from compromised devices.