Samsung Zero-Click Flaw Exploited to Deploy LANDFALL Android Spyware via WhatsApp
08.11.2025
947
LANDFALL spyware exploited a Samsung Galaxy flaw (CVE-2025-21042) via WhatsApp images before April 2025 patch.
🚨 Samsung Zero-Click Flaw Exploited to Deploy LANDFALL Android Spyware via WhatsApp
LANDFALL spyware weaponized a Samsung Galaxy zero-click vulnerability (CVE-2025-21042) through WhatsApp images—no user interaction needed. This exploit chain was active before Samsung patched it in April 2025.
The attack leveraged a flaw in Samsung's image processing, allowing malicious WhatsApp images to trigger remote code execution. Once inside, LANDFALL deployed full-spectrum surveillance capabilities: harvesting contacts, messages, location data, and microphone access.
CVE-2025-21042 was a memory corruption bug in Samsung's proprietary image codec—bypassing Android's sandbox and ASLR. The exploit chain used a maliciously crafted image sent via WhatsApp, automatically processed by Samsung's gallery app, leading to arbitrary code execution with system privileges.
LANDFALL's post-infection modules included: keystroke logging, screen recording, real-time location tracking, and exfiltration of WhatsApp/Telegram/Signal chats. The spyware operated stealthily, hiding its processes and using encrypted C2 channels.
Samsung addressed the flaw in their April 2025 security update. Users must ensure their Galaxy devices are updated to the latest patch level. The exploit was attributed to a sophisticated threat actor, with targets including journalists, activists, and government officials.
- • Zero-click exploit via WhatsApp images
- • CVE-2025-21042 memory corruption in Samsung image codec
- • Full device takeover and data exfiltration
- • Patched in Samsung's April 2025 security update
- • Attributed to advanced persistent threat (APT) group
#RCE vulnerabilities#WhatsApp malware#zero-click attacks#CVE vulnerabilities#Android spyware
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
