Sophisticated zero-click attack exploited Samsung's image processing library for months before detection
Google's Project Zero team has unveiled the technical details behind a sophisticated zero-day exploit that turned seemingly innocent WhatsApp images into weapons capable of completely compromising Samsung Galaxy devices.
The detailed technical analysis reveals how attackers weaponized DNG (Digital Negative) image files to deliver LANDFALL spyware, potentially requiring zero user interaction beyond receiving the malicious image.
The vulnerability, tracked as CVE-2025-21042, affected Samsung's proprietary libimagecodec.quram.so library and was actively exploited between July 2024 and February 2025 before Samsung patched it in April 2025. What made this attack particularly insidious was its delivery mechanism: malicious DNG files disguised as ordinary WhatsApp images with filenames like "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg."
The exploit targeted com.samsung.ipservice, a Samsung-specific system service that automatically processes images in Android's MediaStore. When victims received and potentially downloaded these images through WhatsApp, the vulnerable image processing library triggered, achieving remote code execution without obvious user interaction.
LANDFALL: Commercial-Grade Mobile Surveillance
Palo Alto Networks' Unit 42 discovered the previously unknown LANDFALL spyware family, which enabled comprehensive surveillance including microphone recording, location tracking, and collection of photos, contacts, and call logs. The malware was embedded within DNG files as a hidden ZIP archive, automatically extracted and executed through a complex exploit chain.
Evidence indicates the campaign primarily targeted users in the Middle East, with submissions to VirusTotal showing potential victims in Iran, Turkey, and Morocco. Researchers noted similarities in infrastructure to known commercial spyware operators, suggesting involvement of private-sector offensive actors.
Notably, this isn't the first time Samsung's image processing has come under scrutiny. In 2020, Cyber Kendra reported on Google Project Zero's discovery of a critical vulnerability in Samsung's Qmage format processing, also exploitable through MMS. The recurring vulnerabilities in proprietary Samsung image codecs highlight persistent security challenges in third-party libraries.
Broader Pattern of Image-Based Exploits
CVE-2025-21042 exemplifies an emerging trend in mobile exploitation: targeting complex media parsers that automatically handle images. Between 2024 and 2025, Apple mitigated a separate DNG image processing zero-day (CVE-2025-43300) that attackers combined with a WhatsApp vulnerability for zero-click exploitation.
Protecting Your Device
Samsung deployed patches in April 2025, but CISA added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog, mandating federal agencies patch by December 1, 2025. Samsung stated all supported devices have now received the fix, though quarterly and biannual update schedules may have delayed deployment for some users.
Immediate actions for Samsung Galaxy users:
- Install the latest Samsung security updates immediately (April 2025 or later)
- Be cautious of unsolicited images, even from trusted contacts
- Monitor for suspicious file paths: /data/data/com.samsung.ipservice/files/
- Consider factory reset if device shows signs of compromise
The sophisticated nature of this attack demonstrates that mobile devices remain prime targets for advanced threat actors, with image processing libraries proving to be particularly attractive attack surfaces for delivering commercial-grade spyware.
Sources:
Google Project Zero
Samsung Advisory
Palo Alto Networks Unit 42
CISA KEV Catalog