CISA isn’t taking chances. After confirming that a Samsung zero-day is being used to deliver spyware through WhatsApp, the agency has issued an emergency directive: federal agencies must patch it by December 1 or stop using the devices altogether.
Samsung zero-day exploited in WhatsApp spyware attacks
The vulnerability CVE-2025-21042 lurks in Samsung’s libimagecodec.quram.so library. Attackers use specially crafted DNG image files to hijack Android devices running version 13 or later. The flaw allows full code execution, giving threat actors near-total access.
According to Unit 42, the team at Palo Alto Networks, this flaw has been under active exploitation since at least July 2024. The payload? A nasty piece of spyware called LandFall.
Sony admits a loss on Bungie after its $3.6B buyout stumbles. Destiny 2 flounders as Helldivers 2 becomes the surprise lifeline.
CISA patch order follows discovery of LandFall’s capabilities
LandFall isn’t subtle. Once deployed, it can:
- Record phone calls and ambient audio
- Steal SMS, call logs, photos, and contacts
- Track user location in real-time
- View browsing history and access files
The spyware has been tied to attacks targeting high-profile Samsung models including the Galaxy S22, S23, and S24, as well as foldable devices like the Z Fold 4 and Z Flip 4.
Samsung zero-day patch mandatory for federal agencies
CISA has now added the vulnerability to its Known Exploited Vulnerabilities catalog. That’s government-speak for: “It’s real, it’s dangerous, and it’s out there.” The agency invoked Binding Operational Directive 22-01, requiring all civilian federal agencies to patch or pull affected Samsung devices by December 1.
Though the directive only binds federal entities, CISA is urging all organizations, public and private, to treat this as a priority. Ignoring it, the agency warns, opens the door to severe data compromise.
Tracking points to Stealth Falcon–style tactics
While attribution remains murky, hints point to familiar tactics. LandFall’s infrastructure overlaps with known Stealth Falcon operations, a group tied to UAE interests. The malware’s “Bridge Head” loader also mimics the naming conventions of commercial spyware from vendors like NSO Group and Cytrox.
Still, Unit 42 hasn’t pinned it on a specific actor at least not yet.
Patch or unplug CISA leaves no wiggle room
The Samsung zero-day isn’t just another line in a vulnerability list. It’s proof of how a single image file can turn a smartphone into a surveillance device. CISA’s stance is blunt: patch fast, follow vendor guidance, or shut it down.
Fast clicks cost trust and now, they might cost control.
