LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices

Estimated reading time: 15 minutes

Key Takeaways:

  • LANDFALL is a sophisticated Android spyware targeting Samsung Galaxy devices.
  • It exploits a zero-day vulnerability (CVE-2025-21042) in Samsung’s image processing library.
  • The spyware is delivered through malformed DNG image files, potentially via WhatsApp.
  • LANDFALL possesses extensive capabilities for data exfiltration, device fingerprinting, and persistence.
  • The campaign shares characteristics with other commercial spyware operations in the Middle East.

Table of Contents:

Published: November 7, 2025

Unit 42 researchers have identified a sophisticated Android spyware, LANDFALL, that was used in targeted attacks against Samsung Galaxy devices. The spyware leverages CVE-2025-21042, a zero-day vulnerability (CVSS score unavailable) in Samsung’s Android image processing library. This vulnerability was actively exploited in the wild before a patch was released in April 2025. The LANDFALL campaign highlights the persistent threat posed by commercial-grade spyware and the importance of addressing vulnerabilities in mobile platforms.

Executive Summary

The LANDFALL campaign involved the use of malformed DNG image files, seemingly distributed via WhatsApp, to deliver Android spyware to targeted Samsung Galaxy devices. The spyware exploits a critical zero-day vulnerability, CVE-2025-21042, in Samsung’s image processing library (libimagecodec.quram.so). This vulnerability allowed attackers to execute arbitrary code on affected devices. Unit 42’s investigation revealed that the LANDFALL operation was active for several months, beginning in mid-2024, before the vulnerability was patched. The campaign shares characteristics with other commercial spyware operations in the Middle East, potentially linking it to private-sector offensive actors (PSOAs).

LANDFALL is Android spyware specifically designed against Samsung Galaxy devices, used in targeted intrusion activities within the Middle East. The spyware is delivered through malformed DNG image files exploiting CVE-2025-21042 – a critical zero-day vulnerability in Samsung’s image processing library, which was exploited in the wild. The exploit chain possibly involved zero-click delivery using maliciously crafted images, similar to recent exploit chains seen on iOS and Samsung Galaxy. The campaign shares infrastructure and tradecraft patterns with commercial spyware operations in the Middle East, indicating possible links to private-sector offensive actors (PSOAs). LANDFALL remained active and undetected for months.

LANDFALL Spyware Discovery

The discovery of the LANDFALL spyware began with a search for samples related to an iOS exploit chain. This search led to the identification of several DNG image files containing embedded Android spyware targeting Samsung Galaxy devices. Analysis confirmed that these files exploited CVE-2025-21042.

Beginning the Hunt: The iOS Exploit Chain and How It Made Us Wonder

In August 2025, Apple addressed CVE-2025-43300, a zero-day vulnerability in DNG image parsing. Around the same time, WhatsApp reported CVE-2025-55177, which, when combined with the Apple vulnerability, enabled zero-click remote code execution through malicious images sent via WhatsApp messages. The discovery of this exploit chain prompted a search for related activity, leading to the discovery of the LANDFALL spyware.

Malformed DNG Image Files: A New Attack Vector Trend

LANDFALL is delivered through malformed DNG image files containing an embedded ZIP archive. This archive contains shared object library (.so) files that, when extracted and executed, deploy the LANDFALL spyware. The filenames of the malicious DNG files, such as “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg” and “IMG-20240723-WA0000.jpg”, suggest that WhatsApp was used as a delivery mechanism. This method is similar to previously reported DNG image-based exploitation targeting Apple devices.

Delivering LANDFALL Spyware: Mobile Device Malware Exploit Chains

Mobile device malware often requires a chain of exploits across multiple vulnerabilities for successful infection. The specific exploit chain used to deliver LANDFALL may involve zero-click remote code execution, starting with the delivery of the malformed DNG images. The investigation into LANDFALL highlights the complex nature of modern exploit chains used for spyware distribution.

LANDFALL Spyware Analysis

LANDFALL is a multi-component Android spyware designed for espionage and data exfiltration, specifically engineered for Samsung Galaxy devices.

The LANDFALL spyware consists of two main components:

  • Loader (b.so): An ARM64 ELF shared object that serves as the main backdoor. This component is responsible for retrieving and loading additional modules.
  • SELinux Policy Manipulator (l.so): A component designed to manipulate the device’s SELinux policy to grant LANDFALL elevated permissions and aid persistence.

The loader component, referred to as “Bridge Head” in its debug artifacts, contains numerous debug and status strings, but lacks the logic to reference most of these strings. This suggests that the loader is designed to download additional modules for extended functionality.

Samsung phone infected by advanced Android spyware

LANDFALL’s Potential Capabilities

Analysis of the LANDFALL loader reveals a wide range of potential capabilities, including:

Device Fingerprinting

Gathering information about the device, such as:

  • OS version
  • Hardware ID (IMEI)
  • SIM card serial
  • User account
  • Voicemail number
  • Network configuration
  • Taking inventory of installed applications
  • Accessing location services
  • VPN status
  • USB debugging status
  • Bluetooth

Data Exfiltration

Stealing sensitive data from the device, such as:

  • Recording microphone
  • Recording calls
  • Call history
  • SMS/messaging data
  • Camera photos
  • Arbitrary files
  • Databases on the device (browsing history, etc.)

Execution, Loading and Persistence

Maintaining a persistent presence on the device and executing malicious code, including:

  • Loading native shared object (.so) modules
  • Loading and executing DEX files from memory and disk
  • Injecting processes
  • Executing via LD_PRELOAD
  • Executing arbitrary commands
  • Manipulating SELinux
  • Persistency
  • Modifying SELinux policy via compressed binary
  • Monitoring WhatsApp Media directory for additional payloads
  • Registering WhatsApp web client
  • Manipulating the file system in Android app directories
  • Manipulating the file system

Evasion and Defense Avoidance

Avoiding detection by security software and analysts, including:

  • Detecting TracerPid debugger
  • Detecting Frida instrumentation framework
  • Detecting Xposed framework
  • Dynamic library loading with namespace manipulation
  • Certificate pinning for C2 communications
  • Cleaning up WhatsApp images payload

Targeted Device Models

LANDFALL appears to target specific Samsung Galaxy device models, including:

  • Galaxy S23 Series (S91[168]BXX.*)
  • Galaxy S24 Series (S921BXXU1AWM9, S92[168]BXX.*)
  • Galaxy Z Fold4 (F936BXXS4DWJ1)
  • Galaxy S22 (S901EXXS4CWD1)
  • Galaxy Z Flip4 (F721BXXU1CWAC)

C2 Communication

LANDFALL communicates with command-and-control (C2) servers to receive instructions and exfiltrate data. The initial beacon traffic is an HTTP POST request containing information about the device and the agent. Parameters include:

  • protocol: The protocol version (e.g., A1.5.0)
  • protocol\_ver: The protocol version (e.g., “”)
  • type: The message type (e.g., MSG\_TYPE\_GET\_AGENT)
  • agent\_id: The agent’s unique identifier
  • upload\_id: An upload identifier
  • command\_id: A command identifier
  • source: The source of the request (e.g., bridge\_head)
  • incremental\_build: The incremental build version (e.g., v1.5.0)
  • euid: The effective user ID of the process
  • bh\_path: The path to the b.so binary on the device
  • runner: The runner mode (e.g., I)

Configuration of b.so File

The configuration of the LANDFALL loader is managed through a combination of hard-coded default values and an encrypted JSON object embedded within the file. This configuration includes C2 details, cryptographic keys, and unique identifiers for the agent and commands.

C2 Infrastructure for LANDFALL Spyware

Unit 42 identified six C2 servers used by LANDFALL:

IP Address Domain First Seen Last Seen
194.76.224[.]127 brightvideodesigns[.]com Feb. 7, 2025 Sept. 19, 2025
91.132.92[.]35 hotelsitereview[.]com Feb. 3, 2025 Sept. 16, 2025
92.243.65[.]240 healthyeatingontherun[.]com Oct. 11, 2024 Sept. 2, 2025
192.36.57[.]56 projectmanagerskills[.]com Feb. 3, 2025 Aug. 26, 2025
46.246.28[.]75 Unknown Unknown Unknown
45.155.250[.]158 Unknown Unknown Unknown

How LANDFALL Fits Into the Larger Picture

The LANDFALL campaign highlights a recurring attack vector: the targeting of vulnerabilities within DNG image processing libraries. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms. In fact, earlier in 2025, Samsung identified another DNG flaw in the same Samsung library, CVE-2025-21043, and the parallel exploit chain on iOS was identified that leveraged CVE-2025-43300 in Apple iOS and CVE-2025-55177 in WhatsApp.

Relationship to CVE-2025-21043 (SVE-2025-1702)

CVE-2025-21043, patched by Samsung in September 2025, is another vulnerability in the same image processing library as CVE-2025-21042. The similarities between the two vulnerabilities suggest a broader pattern of attacks targeting DNG image file processing.

Apple’s CVE-2025-43300

In August 2025, Apple addressed CVE-2025-43300, a zero-day vulnerability impacting DNG image parsing, which was actively exploited in the wild. This vulnerability, along with CVE-2025-55177 in WhatsApp, enabled zero-click remote code execution through malicious images. The parallel development of these vulnerabilities in the iOS ecosystem highlights a broader trend of DNG image processing vulnerabilities being leveraged in sophisticated mobile spyware attacks.

Potential Victims

Analysis of VirusTotal submission data suggests potential targets of the LANDFALL campaign in Iraq, Iran, Turkey, and Morocco.

Relationship to Known Spyware Groups

Although definitive attribution is lacking, LANDFALL exhibits characteristics of commercial-grade spyware and may have utilized zero-day exploits in its infection chain. Two notable aspects are:
First, LANDFALL’s C2 infrastructure and domain registration patterns share similarities to infrastructure associated with Stealth Falcon, an actor known for targeting entities in the Middle East.
Second, the loader component refers to itself as “Bridge Head,” a term commonly used by PSOAs for first-stage loaders. Further, Google identified Variston as a Barcelona-based PSOA (provider of exploits). Google identified Variston as a Barcelona-based PSOA (provider of exploits). Further analysis from Google and other reports indicated Variston’s tooling was supplied to clients in the UAE through a reseller named Protect Electronic Systems (or Protected AE). Variston reportedly ceased operations in early 2025 following its public exposure.

Conclusion

The discovery of the LANDFALL spyware campaign targeting Samsung Android devices underscores the ongoing threat posed by sophisticated mobile spyware. The exploit chain, leveraging CVE-2025-21042, highlights the potential for vulnerabilities in image processing libraries to be exploited for malicious purposes. The analysis of LANDFALL reveals advanced capabilities for stealth, persistence, and data collection.

Practical Takeaways:

  • Technical Readers: Implement robust application sandboxing and monitor system calls to detect suspicious activity. Analyze network traffic for known C2 server communication patterns. Implement breach detection systems and consider using a cyber threat intelligence platform for early warning.
  • Business Leaders: Ensure that mobile devices are promptly updated with security patches. Educate employees on the risks of clicking on suspicious links or opening attachments from unknown sources. Invest in a supply-chain risk monitoring solution to assess the security of third-party software.

Indicators of Compromise

Malware Samples

SHA256 Hash Filename Size
b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756 img-20250120-wa0005.jpg 6.66 MB
c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e 2.tiff 6.58 MB
9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93 whatsapp image 2025-02-10 at 4.54.17 pm.jpeg 6.66 MB
d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0 b.so 103.31 KB
384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd 103.31 KB
b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d 1.jpeg 5.66 MB
a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495 103.31 KB
29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483 img-20240723-wa0001.jpg 6.58 MB
2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a 6357fc.zip 380.71 KB
b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18 img-20240723-wa0000.jpg 5.65 MB
69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee localfile~ 1.42 MB
211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261 l 332.88 KB
ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2 103.31 KB

IP Addresses

  • 45.155.250[.]158
  • 46.246.28[.]75
  • 91.132.92[.]35
  • 92.243.65[.]240
  • 192.36.57[.]56
  • 194.76.224[.]127

Domain Names

  • brightvideodesigns[.]com
  • healthyeatingontherun[.]com
  • hotelsitereview[.]com
  • projectmanagerskills[.]com

Additional Resources

Appendices

Appendix A: SELinux Policy Manipulation

LANDFALL’s component for SELinux policy manipulation is l.so. This file provides a capability to bypass system security controls. It is decompressed from /data/data/com.samsung.ipservice/files/l to /data/data/com.samsung.ipservice/files/l.so and executed.

Appendix B: Additional Details on LANDFALL Spyware Analysis