Executive Summary
In June 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a critical alert about threat actors leveraging commercial spyware to infiltrate messaging applications. Attackers have used sophisticated social engineering and mimicry of trusted messaging apps to deploy Android spyware—sometimes via malicious image files shared through platforms like WhatsApp—or by exploiting vulnerabilities in applications such as Signal, especially targeting Samsung devices. The primary victims are high-value individuals, including government, military, and political officials, as well as civil society members, with attacks observed across the United States, the Middle East, and Europe. These threats enable threat actors to gain unauthorized device access and deploy further malicious payloads, jeopardizing personal and organizational data.
CISA’s latest alert underscores a sharp escalation in opportunistic spyware attacks, using new delivery vectors such as malicious QR codes and zero-click exploits. The advisory highlights the urgent need for preventative security hygiene, particularly as attackers increasingly aim at mobile messaging platforms used by sensitive sectors.
Why This Matters Now
There is a surge in sophisticated commercial spyware attacks targeting messaging apps via new methods like zero-click exploits and malicious QR codes. This exposes high-value individuals, government entities, and civil society to increased espionage and data theft risks, raising the urgency for immediate mobile device hardening and user awareness.
Attack Path Analysis
Attackers initiated the compromise by leveraging malicious QR codes, zero-click exploits, or social engineering to deliver spyware to mobile messaging apps. Upon infection, the spyware sought to escalate privileges on the device, potentially gaining broader system or application access. The malware then attempted lateral movement within the device or between cloud workloads, possibly targeting sensitive messaging data and related resources. Next, the spyware established command and control channels, allowing remote operators to issue instructions or deploy additional payloads. Data exfiltration followed, as attackers extracted sensitive information and messaging content to external servers. Finally, the impact included continued surveillance, data theft, reputational harm, or further compromise of targeted high-value individuals and organizations.
Kill Chain Progression
Initial Compromise
Description
Attackers used sophisticated social engineering, malicious QR codes, and zero-click exploits to deliver spyware via popular messaging apps, enabling initial unauthorized access to user devices.
Related CVEs
CVE-2025-21042
CVSS 9.8An out-of-bounds write vulnerability in Samsung's libimagecodec.quram.so library allows remote attackers to execute arbitrary code via malicious DNG image files.
Affected Products:
Samsung Galaxy S22 – Android 13 through 16
Samsung Galaxy S23 – Android 13 through 16
Samsung Galaxy S24 – Android 13 through 16
Samsung Galaxy Z Fold4 – Android 13 through 16
Samsung Galaxy Z Flip4 – Android 13 through 16
Exploit Status:
exploited in the wildReferences:
https://www.lookout.com/threat-intelligence/article/cve-2025-21042-updatehttps://insights.integrity360.com/threat-advisories/landfall-android-spyware-delivered-via-malicious-dng-images-to-samsung-devices?hs_amp=truehttps://www.forbes.com/sites/daveywinder/2025/11/08/samsung-spyware-attack---critical-landfall-0-day-used-whatsapp-images/CVE-2025-21043
CVSS 8.8An out-of-bounds write vulnerability in Samsung's libimagecodec.quram.so library allows remote attackers to execute arbitrary code via maliciously crafted images.
Affected Products:
Samsung Galaxy S22 – Android 13 and later
Samsung Galaxy S23 – Android 13 and later
Samsung Galaxy S24 – Android 13 and later
Samsung Galaxy Z Fold4 – Android 13 and later
Samsung Galaxy Z Flip4 – Android 13 and later
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Search Victim-Owned Websites: Social Media
Phishing: Spearphishing Attachment
Deliver Malicious App via Third-Party App Stores
Exploitation of Messaging Applications
Download New Code at Runtime
Container Administration Command: Mobile Device Management
Multi-Factor Authentication Interception
Access Sensitive Data in Device Logs or Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong authentication for all access to system components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Incident Prevention – Security of network and information systems
Control ID: Art. 21(2)(d)
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Continuous device inventory and security enforcement
Control ID: Device Pillar: Asset Management & Device Security
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
High-value government officials targeted by sophisticated commercial spyware via messaging apps, requiring enhanced mobile security and zero-trust segmentation policies.
Military Industry
Current and former military officials face targeted spyware attacks through messaging applications, compromising sensitive communications and requiring encrypted traffic protection.
Civic/Social Organization
Civil society organizations specifically targeted by threat actors using commercial spyware, necessitating enhanced threat detection and mobile security guidelines implementation.
Political Organization
Political officials across US, Middle East, and Europe targeted through messaging app spyware, requiring sophisticated anomaly detection and secure communication protocols.
Sources
- CISA alert draws attention to spyware’s targeting of messaging appshttps://cyberscoop.com/cisa-alert-draws-attention-to-spywares-targeting-of-messaging-apps/Verified
- CVE-2025-21043 in Samsung devices | Threat Intelhttps://www.lookout.com/threat-intelligence/article/cve-2025-21042-updateVerified
- LANDFALL: Android spyware delivered via malicious DNG images to Samsung deviceshttps://insights.integrity360.com/threat-advisories/landfall-android-spyware-delivered-via-malicious-dng-images-to-samsung-devices?hs_amp=trueVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust controls such as segmentation, east-west traffic filtering, inline anomaly detection, and robust egress policy enforcement would have limited the attacker’s ability to move laterally, exfiltrate sensitive data, and maintain control within the environment. CNSF capabilities help contain threats, minimize blast radius, and ensure threat activity is rapidly detected or blocked across cloud and hybrid workloads.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline controls would detect and block known malicious payload delivery at the cloud edge.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation policies prevent excessive access to sensitive resources even if privilege escalation is attempted.
Control: East-West Traffic Security
Mitigation: Realtime filtering would restrict unauthorized internal communications and block suspicious lateral movement.
Control: Threat Detection & Anomaly Response
Mitigation: Anomaly detection alerts on patterns associated with C2 traffic, enabling timely response.
Control: Egress Security & Policy Enforcement
Mitigation: Strict egress controls detect and block unauthorized outbound data transfers.
Centralized monitoring rapidly detects post-exploitation activity, supporting swift containment and response.
Impact at a Glance
Affected Business Functions
- Communications
- Data Security
- User Privacy
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive user data including messages, contacts, call logs, photos, and location information.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and east-west isolation to prevent malware lateral movement and contain outbreaks.
- • Enable real-time traffic inspection and threat detection to identify covert spyware command and control or policy violations.
- • Apply strict egress controls and FQDN filtering to block unauthorized data exfiltration from workloads and applications.
- • Centralize multi-cloud and hybrid environment visibility for comprehensive monitoring and rapid incident response.
- • Ensure all interconnects leverage robust encryption (e.g., HPE) to safeguard data in transit from packet sniffing and interception.
