Cybersecurity researchers at Unit 42 have uncovered a sophisticated Android spyware campaign that exploited a previously unknown zero-day vulnerability in Samsung Galaxy devices.
The malware, dubbed LANDFALL, leveraged a critical vulnerability in Samsung’s image processing library to deliver commercial-grade surveillance capabilities through maliciously crafted image files sent via WhatsApp.
The LANDFALL campaign exploited CVE-2025-21042, a zero-day vulnerability in Samsung’s Android image processing library that remained unpatched until April 2025.
Attackers embedded the spyware within malformed DNG (Digital Negative) image files, which were delivered to targets through WhatsApp messages.
The exploitation method closely resembles a similar attack chain discovered targeting Apple iOS devices in August 2025, highlighting a broader pattern of DNG image processing vulnerabilities being weaponized across mobile platforms.
Unit 42’s discovery came during their investigation of iOS exploit chains when they identified several suspicious DNG files uploaded to VirusTotal throughout 2024 and early 2025.
The filenames, such as “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg” and “IMG-20240723-WA0000.jpg,” strongly suggest the malware was distributed through WhatsApp’s messaging platform. Importantly, researchers found no vulnerabilities in WhatsApp itself the application was merely used as a delivery mechanism.
LANDFALL is specifically designed to target Samsung Galaxy devices, including the S22, S23, and S24 series, as well as Z Fold4 and Z Flip4 models.
The b.so component of LANDFALL communicates with its C2 server over HTTPS using a non-standard, ephemeral TCP port.
The spyware enables extensive surveillance capabilities, including microphone recording, location tracking, call log collection, and extraction of photos, contacts, and SMS messages. Its modular architecture suggests it could download additional components to expand its functionality.
The malware’s loader component, internally referred to as “Bridge Head,” contains sophisticated evasion techniques to avoid detection by security tools and debugging frameworks.
Analysis revealed the spyware could manipulate Android’s SELinux security policies to maintain elevated permissions and establish persistence on infected devices.
Evidence indicates LANDFALL was deployed in targeted intrusion activities within the Middle East, with potential victims identified in Iraq, Iran, Turkey, and Morocco.
The campaign’s infrastructure and tradecraft patterns share similarities with commercial spyware operations associated with private sector offensive actors (PSOAs) entities that develop and sell surveillance tools to government clients.
Researchers noted potential connections to the Stealth Falcon threat group and possible links to the Variston spyware framework, which reportedly operated out of Barcelona before ceasing operations in early 2025.
The b.so file’s configuration is managed through a combination of hard-coded default values and an encrypted JSON object embedded within itself.
The “Bridge Head” naming convention used by LANDFALL matches terminology employed by several known commercial spyware vendors, including NSO Group and Variston.
Unit 42 tracks this activity as CL-UNK-1054 and continues investigating the campaign’s scope and attribution. Palo Alto Networks customers receive protection through Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, and Advanced Threat Prevention products, which have been updated to detect LANDFALL-related indicators.
The earliest LANDFALL samples appeared in July 2024, months before Samsung addressed the vulnerability in April 2025.
In September 2025, Samsung patched an additional related vulnerability, CVE-2025-21043, further protecting users from similar attack vectors. Samsung users who have applied security updates since April 2025 are no longer at risk from this specific exploit.
| SHA256 Hash | Filename | Size |
|---|---|---|
| b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756 | img-20250120-wa0005.jpg | 6.66 MB |
| c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e | 2.tiff | 6.58 MB |
| 9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93 | whatsapp image 2025-02-10 at 4.54.17 pm.jpeg | 6.66 MB |
| d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0 | b.so | 103.31 KB |
| 384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd | (unknown) | 103.31 KB |
| b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d | 1.jpeg | 5.66 MB |
| a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495 | (unknown) | 103.31 KB |
| 29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483 | img-20240723-wa0001.jpg | 6.58 MB |
| 2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a | 6357fc.zip | 380.71 KB |
| b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18 | img-20240723-wa0000.jpg | 5.65 MB |
| 69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee | localfile~ | 1.42 MB |
| 211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261 | l | 332.88 KB |
| ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2 | (unknown) | 103.31 KB |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
