Samsung Mobile Company CyberSecurity Posture

samsung.com
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

Samsung Mobile is at the forefront of mobile intelligence, shaping the future with Galaxy AI. With the next evolution of Galaxy AI, we are making lives simpler–reducing stress, creating more time, and getting the help you need without even having to ask. In this era of mobile AI, the freedom to focus on what matters most to you is no longer a dream, but a powerful reality. The future of Galaxy AI is here: more personal, intuitive, and transformative, unlocking endless possibilities and revolutionizing how your Galaxy can work for you. Life opens up with Galaxy AI.

Samsung Mobile A.I CyberSecurity Scoring

Samsung Mobile

Company Details

Linkedin ID:

samsungmobile

Website:

http://smsng.co/SamsungUnpacked

Employees number:

18,959

Number of followers:

647,859

NAICS:

None

Industry Type:

Consumer Electronics

Homepage:

samsung.com

IP Addresses:

Scan still pending

Company ID:

SAM_2897948

Scan Status:

In-progress

AI scoreSamsung Mobile Risk Score (AI oriented)

Between 700 and 749

https://images.rankiteo.com/companyimages/samsungmobile.jpeg
Samsung Mobile Consumer Electronics
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
globalscoreSamsung Mobile Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/samsungmobile.jpeg
Samsung Mobile Consumer Electronics
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Samsung Mobile

Moderate
Current Score
738
Ba (Moderate)
01000
8 incidents
-3.5 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

DECEMBER 2025
738
NOVEMBER 2025
737
OCTOBER 2025
736
SEPTEMBER 2025
735
AUGUST 2025
733
JULY 2025
732
JUNE 2025
730
MAY 2025
729
APRIL 2025
731
Vulnerability
28 Apr 2025 • Samsung
Samsung Clipboard Vulnerability

Samsung acknowledged that certain Galaxy devices running One UI retain clipboard contents—including passwords copied from password managers—in plaintext indefinitely. A user reported that sensitive credentials remain accessible until manually cleared, creating a potential treasure trove for malware or malicious apps. Samsung advised manual clipboard clearing and secure input methods while promising to evaluate auto-clear or exclusion features in a future update.

727
low -4
SAM600042825
Incident Details -
Type
Vulnerability
Attack Vector
Clipboard data retention
Vulnerability Exploited
Plaintext clipboard retention
Impact
Sensitive credentials Passwords Galaxy devices running One UI
Response
Manual clipboard clearing Secure input methods
Data Breach
Sensitive credentials Passwords Sensitivity Of Data: High
References
Blog URL Source URL
APRIL 2025
733
Vulnerability
01 Apr 2025 • Samsung
LANDFALL Android Spyware Campaign Exploiting Samsung Zero-Day (CVE-2025-21042)

The **LANDFALL** spyware campaign exploited a zero-day vulnerability (**CVE-2025-21042**) in Samsung’s Android image processing library, targeting Galaxy devices (S22, S23, S24, Z Fold4, Z Flip4). Distributed via malformed DNG image files on WhatsApp, the malware enabled **extensive surveillance**—including microphone recording, location tracking, call log theft, and extraction of photos, contacts, and SMS messages. The attack leveraged **SELinux manipulation** for persistence and evasion, with evidence linking it to **commercial spyware operations** (e.g., Stealth Falcon, Variston framework) and **targeted intrusions in the Middle East** (Iraq, Iran, Turkey, Morocco). The vulnerability remained unpatched until **April 2025**, exposing users for nearly a year. While Samsung later patched related flaws (e.g., **CVE-2025-21043**), the campaign’s **modular design** suggests potential for expanded payloads. The attack’s **sophistication**—combining zero-day exploitation, encrypted C2 communication, and anti-forensic techniques—highlights risks to **high-profile individuals, government entities, and critical infrastructure** in the region. Palo Alto’s Unit 42 confirmed **no WhatsApp vulnerabilities** were involved, but the use of a **trusted messaging platform** amplified the attack’s reach and credibility.

730
critical -3
SAM1862118110825
Incident Details -
Type
spyware zero-day exploit targeted intrusion
Attack Vector
malicious DNG image files WhatsApp messaging platform CVE-2025-21042 (Samsung image processing library)
Vulnerability Exploited
CVE-2025-21042 (Samsung Android image processing library)
Motivation
surveillance targeted espionage commercial spyware deployment
Impact
microphone recordings location data call logs photos contacts SMS messages Samsung Galaxy S22/S23/S24 Z Fold4 Z Flip4 potential reputational damage to Samsung concerns over device security high (PII exfiltration) location tracking
Response
Unit 42 (Palo Alto Networks) Samsung security patches (April 2025, September 2025) Palo Alto Networks detection updates (Advanced WildFire, URL Filtering, DNS Security, Threat Prevention) device security updates malware signature updates public advisory via Unit 42 report media coverage Palo Alto Networks threat detection tools
Data Breach
PII (contacts, SMS, photos) geolocation data call logs microphone recordings Sensitivity Of Data: high (personal and surveillance data) SELinux policy manipulation for persistence DNG images (malicious payload) photos SMS databases contact lists
Lessons Learned
Zero-day vulnerabilities in image processing libraries are increasingly weaponized across mobile platforms (similar iOS exploits in 2025). Commercial spyware actors leverage ephemeral infrastructure (e.g., non-standard TCP ports) and modular architectures to evade detection. Supply chain risks extend to messaging platforms (WhatsApp) used as delivery mechanisms, even without platform vulnerabilities. SELinux policy manipulation is a critical evasion technique for Android malware persistence.
Recommendations
Apply Samsung security patches promptly (April 2025 or later). Monitor for suspicious DNG/JPPEG files received via messaging apps. Deploy advanced threat detection tools (e.g., Palo Alto Networks’ WildFire). Audit device permissions and SELinux policies for anomalies. Educate users on risks of unsolicited image files, even from known contacts. Investigate potential links to commercial spyware vendors (e.g., NSO Group, Variston).
Investigation Status
ongoing (tracked as CL-UNK-1054 by Unit 42)
Customer Advisories
Samsung security bulletins media reports
Stakeholder Advisories
Palo Alto Networks customers notified via product updates
Initial Access Broker
Entry Point: malicious DNG files via WhatsApp Reconnaissance Period: 2024-01 to 2025-02 (samples uploaded to VirusTotal) SELinux policy manipulation persistent C2 communication via HTTPS/ephemeral ports government/individual targets in Middle East
Post Incident Analysis
Unpatched zero-day in Samsung’s image processing library (CVE-2025-21042). Lack of validation for malformed DNG files in Android’s media stack. Exploitation of WhatsApp as a trusted delivery vector. Commercial spyware tradecraft (e.g., modular architecture, evasion techniques). Samsung patched CVE-2025-21042 (April 2025) and CVE-2025-21043 (September 2025). Palo Alto Networks updated detection signatures for LANDFALL indicators. Ongoing attribution analysis by Unit 42 (CL-UNK-1054).
References
Blog URL Source URL
MARCH 2025
733
FEBRUARY 2025
732
JANUARY 2025
731
AUGUST 2024
725
Vulnerability
01 Aug 2024 • Samsung
Exploitation of CVE-2024-7399 in Samsung MagicINFO v9 Server

In late 2024, attackers began exploiting CVE-2024-7399, an easily reachable path traversal flaw in Samsung MagicINFO v9 Server, to deploy a malicious JSP payload. The vulnerability allowed unauthenticated actors to upload and execute arbitrary scripts on signage management servers, which are commonly deployed in retail stores, transportation hubs, corporate lobbies and healthcare facilities. Once executed, the payload installed a downloader for the Mirai botnet, turning commercial displays into nodes for distributed denial-of-service attacks. Although no sensitive customer or employee information was stolen, the intrusion compromised system integrity and posed a risk of large-scale service disruptions. Administrators reported sporadic outages of digital signage and unusual outbound connections from Windows Server instances. Samsung released a patch in August 2024, but exploitation surged after a proof-of-concept exploit was published. Organizations running MagicINFO v9 prior to version 21.1050.0 faced ongoing exposure until they applied the update. The incident underscores the critical need for timely patch management to avoid opportunistic bottleneck attacks on nontraditional devices.

722
low -3
SAM301050625
Incident Details -
Type
Botnet Infection
Attack Vector
Path Traversal
Vulnerability Exploited
CVE-2024-7399
Motivation
DDoS Attacks
Impact
Systems Affected: Signage management servers, Windows Server instances Downtime: Sporadic outages of digital signage
Lessons Learned
The incident underscores the critical need for timely patch management to avoid opportunistic bottleneck attacks on nontraditional devices.
Initial Access Broker
Entry Point: Path Traversal
Post Incident Analysis
Root Causes: CVE-2024-7399 vulnerability Corrective Actions: Apply the patch released by Samsung in August 2024
References
Blog URL Source URL
JULY 2024
728
Vulnerability
01 Jul 2024 • Samsung
LANDFALL Android Spyware Campaign Exploiting Samsung Zero-Day (CVE-2025-21042)

Security researchers at Palo Alto Networks uncovered **LANDFALL**, a sophisticated Android spyware campaign exploiting a **zero-day vulnerability (CVE-2025-21042, CVSS 8.8)** in Samsung Galaxy devices (S22, S23, S24, Z Fold 4, Z Flip 4). The attack leveraged malformed DNG image files (disguised as WhatsApp transfers) to deploy modular spyware capable of **recording audio/calls, tracking location, harvesting SMS/contacts/files, and maintaining persistence via SELinux manipulation**. Targets included high-value individuals in **Middle East/North Africa (Iraq, Iran, Turkey, Morocco)**, suggesting state-sponsored or commercial espionage motives. While the flaw was patched in **April 2025**, the campaign operated since **July 2024**, exposing users to prolonged surveillance risks. The attack’s **zero-click potential** (unconfirmed) and modular design (loader + privilege escalation + C2) align with advanced threat actors like **Stealth Falcon**, historically linked to regional espionage. The incident underscores rising risks in mobile ecosystems, where image-processing libraries (e.g., `libimagecodec.quram.so`) are increasingly exploited for targeted intrusions.

724
critical -4
SAM5892158110825
Incident Details -
Type
Espionage Zero-Day Exploit Spyware Mobile Malware
Attack Vector
Malformed DNG Image Files Messaging Apps (e.g., WhatsApp) Potential Zero-Click Exploit
Vulnerability Exploited
CVE-2025-21042 (CVSS 8.8) - Out-of-Bounds Write in libimagecodec.quram.so
Motivation
Targeted Espionage (likely state-sponsored or commercial spyware)
Impact
Microphone Audio/Call Recordings Device Location Photos SMS Files Contacts Call Logs Samsung Galaxy S22 Samsung Galaxy S23 Samsung Galaxy S24 Samsung Galaxy Z Fold 4 Samsung Galaxy Z Flip 4 Operational Impact: High (surveillance capabilities, persistence via SELinux policy manipulation) Brand Reputation Impact: Moderate (high-profile zero-day exploit in flagship devices) Identity Theft Risk: High (PII exfiltration)
Response
Incident Response Plan Activated: Yes (by Samsung and Palo Alto Networks Unit 42) Palo Alto Networks Unit 42 Patch released by Samsung (April 2025) Device updates Monitoring for anomalous behaviors (e.g., C2 connections, suspicious image files) Public disclosure by Palo Alto Networks Unit 42 Security advisories Enhanced Monitoring: Recommended (for anomalous network connections, microphone usage, etc.)
Data Breach
Audio Recordings Location Data Photos SMS Files Contacts Call Logs Sensitivity Of Data: High (includes PII and surveillance data) Data Exfiltration: Yes DNG Images (malformed, with embedded ZIP payloads) Photos SMS Contacts Call Logs Personally Identifiable Information: Yes (contacts, call logs, location data)
Lessons Learned
Image-processing libraries (e.g., DNG/TIFF) are emerging as critical attack surfaces in mobile devices. Messaging apps and 'image' files can serve as stealthy initial vectors for advanced malware. Modular spyware architectures (loader + privilege escalation + C2) resemble commercial spyware, suggesting targeted espionage motives. Mobile devices, especially flagship models, must be treated as high-value targets for espionage, not just commodity malware. Long exposure windows (e.g., vulnerability exploited since July 2024, patched in April 2025) highlight the need for proactive monitoring and rapid patching.
Recommendations
Ensure all Samsung devices are updated to the latest firmware (post-April 2025 patch). Treat mobile devices as potential espionage targets, especially in high-risk regions or sectors. Monitor for anomalous behaviors: unexpected network connections (C2 indicators), suspicious image files via chat apps, unauthorized microphone/camera usage. Review and enforce messaging-app usage policies, including scrutiny of attachments (even from trusted sources). Implement endpoint detection and response (EDR) solutions capable of detecting mobile spyware behaviors. Educate users on the risks of malformed image files and social engineering via messaging platforms.
Investigation Status
Ongoing (attribution to Stealth Falcon/FruityArmor is tentative; initial vector unconfirmed)
Customer Advisories
Update devices to the latest Samsung firmware Avoid opening suspicious image files from unknown sources Report unusual device behaviors (e.g., unexpected recordings, location tracking)
Stakeholder Advisories
Apply patches immediately Monitor for indicators of compromise (IoCs) Review mobile security policies
Initial Access Broker
Malformed DNG image files (e.g., WhatsApp transfers) Potential zero-click exploit via messaging apps Backdoors Established: Yes (via modified SELinux policy for persistence) Samsung Galaxy flagship devices (S22, S23, S24, Z Fold 4, Z Flip 4) Users in Middle East/North Africa (Iraq, Iran, Turkey, Morocco)
Post Incident Analysis
Zero-day vulnerability (CVE-2025-21042) in Samsung’s image-processing library (libimagecodec.quram.so). Lack of user awareness about risks associated with image files via messaging apps. Delayed patching (vulnerability exploited since July 2024, patched in April 2025). Sophisticated modular spyware design (LANDFALL) enabling privilege escalation and persistence. Samsung issued patches for CVE-2025-21042 (April 2025). Public disclosure by Unit 42 to raise awareness and prompt mitigations. Recommendations for organizations to treat mobile devices as high-value espionage targets. Encouragement for users to update devices and scrutinize messaging app attachments.
References
Blog URL Source URL
DECEMBER 2022
711
Cyber Attack
01 Dec 2022 • Samsung Mobile
Samsung Galaxy Devices Hacked at Pwn2Own Event

Last year, during the Pwn2Own hacking event in Austin, Texas, the Samsung Galaxy S21 devices were hacked, not once but twice, across a period of just 48 hours. This year also the Samsung’s flagship Galaxy S22 smartphone fell to zero-day exploits twice on the same day. But this time, Samsung fixed the issues before malicious threat actors can do any harm.

696
critical -15
SAM221971222
Incident Details -
Type
Zero-day Exploit
Attack Vector
Hacking Event
Vulnerability Exploited
Zero-day vulnerabilities
Motivation
Research/Event Participation
Impact
Samsung Galaxy S21 Samsung Galaxy S22
Response
Issued patches and updates
References
Blog URL Source URL
SEPTEMBER 2022
753
Breach
01 Sep 2022 • Samsung Mobile
Samsung Data Breach

Samsung suffered from a data breach incident, hackers hacked Samsung systems in the U.S that exposed some personal data of U.S customers. The compromised information includes name, contact details, demographic data, date of birth, and product registration data. Samsung said that no credit or debit card information was accessed, nor social security numbers. Customers were warned to be on the lookout for unauthorized emails, messages, or phone calls that could exploit the stolen data to engage them and they got a free credit report.

707
critical -46
SAM15243922
Incident Details -
Type
Data Breach
Impact
name contact details demographic data date of birth product registration data
Response
Warned customers to be on the lookout for unauthorized communications Offered free credit report
Data Breach
name contact details demographic data date of birth product registration data name contact details date of birth
Customer Advisories
Warned customers to be on the lookout for unauthorized communications Offered free credit report
References
Blog URL Source URL
MARCH 2022
794
Breach
01 Mar 2022 • Samsung Mobile
Lapsus$ Hacker Group Attack on Samsung

Samsung was targeted by the Lapsus$ hacker group recently. The attackers gained access to its servers and stole 190GB of confidential data, including the source code of Galaxy devices. The company immediately took off its systems and strengthen its security systems.

748
critical -46
SAM22357322
Incident Details -
Type
Data Breach
Impact
Source code of Galaxy devices
Response
Took off systems Strengthened security systems
Data Breach
Source code Sensitivity Of Data: High Data Exfiltration: Yes
References
Blog URL Source URL
JUNE 2015
794
Vulnerability
01 Jun 2015 • Samsung Mobile
Samsung Keyboard Software Bug

Back in2015 more than 600 million Samsung mobile phones around the world were vulnerable to a software bug was discovered in the phone's keyboard. The bug could allow hackers to secretly monitor the phone's camera and microphone, install apps without permission and monitor text messages. The company identifies the bug and fixed it in the next update to lower down the risks.

790
critical -4
SAM21281522
Incident Details -
Type
Software Vulnerability
Attack Vector
Software Bug
Vulnerability Exploited
Keyboard Software Bug
Motivation
Unauthorized access and monitoring
Impact
Systems Affected: Mobile Phones
Response
Remediation Measures: Software update
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for Samsung Mobile is 738, which corresponds to a Moderate rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 737.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 736.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 735.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 733.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 732.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 730.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 729.

According to Rankiteo, the A.I. Rankiteo Cyber Score for April 2025 was 730.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2025 was 733.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2025 was 732.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2025 was 731.

Over the past 12 months, the average per-incident point impact on Samsung Mobile’s A.I Rankiteo Cyber Score has been -3.5 points.

You can access Samsung Mobile’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/samsungmobile.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view Samsung Mobile’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/samsungmobile.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.