New LandFall Spyware Exploited Samsung Zero-Day via WhatsApp Messages (CVE-2025-21042)

Estimated reading time: 10 minutes

Key takeaways:

  • LandFall is a newly discovered spyware targeting Samsung devices via a zero-day vulnerability.
  • The spyware is delivered through malicious .DNG images sent via WhatsApp.
  • LandFall possesses extensive spying capabilities, including device fingerprinting, microphone recording, and location tracking.
  • Attribution of the LandFall campaign remains uncertain, but there are potential links to known spyware vendors and threat actors.
  • Organizations should prioritize security awareness training, implement mobile device management solutions, and stay informed about the latest cyber threats to protect against mobile spyware.

Table of Contents:

CVE-2025-21042: A Deep Dive

A previously unknown spyware, dubbed ‘LandFall,’ has been deployed by exploiting a zero-day vulnerability in Samsung’s Android image processing library. The attacks leveraged malicious images sent via WhatsApp. This blog post will delve into the details of CVE-2025-21042, the vulnerability used to deploy LandFall, and explore the broader implications for mobile device security.

Identified as CVE-2025-21042, the zero-day vulnerability is an out-of-bounds write issue located within libimagecodec.quram.so. This Android image processing library is a core component of Samsung devices. The Common Vulnerability Scoring System (CVSS) has assigned a critical severity rating to this vulnerability, reflecting its potential impact. A remote attacker who successfully exploits this flaw can execute arbitrary code on a target device, granting them significant control.

The vulnerability was patched in April of this year by Samsung. However, investigations reveal that the LandFall operation had been active since at least July 2024, targeting specific Samsung Galaxy users primarily located in the Middle East. This highlights the importance of promptly applying security updates as soon as they are released, as threat actors often exploit vulnerabilities before patches are widely adopted.

The attack vector begins with the delivery of a specifically crafted .DNG (Digital Negative) raw image format. This image has a .ZIP archive appended to the end of the file. This technique is used to embed malicious code within what appears to be a legitimate image file.

Researchers at Palo Alto Networks’ Unit 42 discovered and analyzed samples submitted to VirusTotal starting July 23, 2024. The filenames and submission patterns suggest WhatsApp was the primary delivery channel for these malicious images.

From a technical standpoint, the .DNG files contain two key components:

  • Loader (b.so): This component retrieves and loads additional modules necessary for the spyware to function.
  • SELinux Policy Manipulator (l.so): This module modifies security settings on the device to elevate permissions and ensure persistence of the spyware. SELinux is a security enhancement to the Linux kernel, and bypassing it is crucial for the spyware to operate effectively.

LandFall Spyware Capabilities

Once installed, LandFall possesses a wide range of spying capabilities, including:

  • Device Fingerprinting: LandFall can collect detailed information about the compromised device, including hardware and SIM IDs (IMEI, IMSI), SIM card number, user account details, Bluetooth information, location services data, and a list of installed applications. This data is used to uniquely identify the device and track its activities.
  • Module Execution: The spyware can execute additional modules to extend its functionality and adapt to the specific environment.
  • Persistence: LandFall employs techniques to ensure it remains active on the device even after reboots or updates.
  • Detection Evasion: The spyware incorporates methods to avoid detection by security software and user scrutiny.
  • Bypassing Protections: LandFall attempts to bypass various security measures implemented on the device.
  • Microphone Recording: Ability to record audio through the device’s microphone.
  • Call Recording: Ability to record phone calls made on the device.
  • Location Tracking: Ability to track the device’s location.
  • Browsing History Access: Ability to access and exfiltrate the user’s browsing history.

Unit 42’s analysis indicates that LandFall primarily targets Galaxy S22, S23, and S24 series devices, along with Z Fold 4 and Z Flip 4 models. This covers a broad range of Samsung’s recent flagship models, excluding the latest S25 series.

It’s important to note that LandFall’s use of .DNG images aligns with a broader trend of exploiting this format in commercial spyware tools. Previous exploitation chains involving .DNG images have been observed targeting Apple iOS (CVE-2025-43300) and WhatsApp (CVE-2025-55177).

Samsung has also addressed CVE-2025-21043, another vulnerability impacting libimagecodec.quram.so, which was discovered and reported by WhatsApp security researchers. This highlights the ongoing efforts to identify and patch vulnerabilities in this critical library.

Attribution Murky

While the technical details of LandFall are well-understood, attributing the attacks to a specific threat actor remains challenging.

Analysis of VirusTotal samples suggests potential targets in Iraq, Iran, Turkey, and Morocco. This geographic focus provides some clues but is not conclusive.

Unit 42 identified six command-and-control (C2) servers associated with the LandFall campaign. Some of these servers have been flagged for malicious activity by Turkey’s CERT (Computer Emergency Response Team).

C2 domain registration and infrastructure patterns exhibit similarities to those observed in Stealth Falcon operations, which have been linked to the United Arab Emirates.

Furthermore, the use of the “Bridge Head” name for the loader component is a naming convention commonly associated with NSO Group, Variston, Cytrox, and Quadream products, all of which are known spyware vendors.

Despite these clues, researchers have not been able to confidently link LandFall to any known threat groups or spyware vendors. The attribution remains murky, highlighting the challenges of identifying the actors behind sophisticated spyware campaigns.

Practical Takeaways

For Technical Readers:

  • Implement real-time ransomware intelligence: Integrate threat feeds that provide up-to-date information on known spyware campaigns and associated indicators of compromise (IOCs) into your security tools.
  • Utilize a cyber threat intelligence platform: A CTI platform can help you correlate data from various sources, including dark web monitoring service and underground forum intelligence, to gain a comprehensive understanding of the threat landscape.
  • Enhance breach detection capabilities: Implement advanced breach detection systems that can identify suspicious activity, such as unauthorized access to sensitive data or unusual network traffic patterns.
  • Strengthen supply-chain risk monitoring: Evaluate the security posture of your suppliers and partners to mitigate the risk of supply chain attacks that could introduce malware into your environment.
  • Invest in live ransomware API: Use a live ransomware API to monitor for new ransomware variants and associated IOCs in real-time.
  • Implement robust brand leak alerting: Monitor for leaks of sensitive information, such as credentials or proprietary data, that could be exploited by attackers.
  • Focus on endpoint detection and response (EDR): Deploy EDR solutions on mobile devices to detect and respond to malicious activity in real-time. EDR solutions can provide valuable insights into the behavior of applications and processes, helping to identify and block spyware infections.

For Non-Technical Readers (Business Leaders):

  • Prioritize security awareness training: Educate employees about the risks of phishing attacks and other social engineering tactics that could be used to deliver spyware.
  • Enforce a strong password policy: Require employees to use strong, unique passwords and enable multi-factor authentication (MFA) on all accounts.
  • Implement a mobile device management (MDM) solution: MDM solutions can help you manage and secure mobile devices, including the ability to remotely wipe devices, enforce security policies, and monitor for suspicious activity.
  • Regularly review security policies and procedures: Ensure that your security policies and procedures are up-to-date and aligned with industry best practices.
  • Invest in cybersecurity insurance: Cybersecurity insurance can help you mitigate the financial risks associated with data breaches and other cyber incidents.
  • Stay informed about the latest cyber threats: Subscribe to industry newsletters and follow cybersecurity experts on social media to stay informed about the latest threats and vulnerabilities.
  • Work closely with your IT security team: Collaborate with your IT security team to ensure that your organization is adequately protected against cyber threats.

PurpleOps and Mobile Security

PurpleOps provides a range of services that can help organizations protect themselves against mobile spyware threats like LandFall. Our cyber threat intelligence platform offers real-time visibility into the threat landscape, including information on emerging malware campaigns and associated IOCs. We provide dark web monitoring to identify compromised credentials and other sensitive information that could be used to launch attacks. Our team also offers expertise in breach detection, penetration testing, and supply-chain risk monitoring to help organizations identify and address vulnerabilities in their mobile security posture. Services like telegram threat monitoring are also crucial to understand the spread of such malicious files.

Furthermore, PurpleOps can assist with establishing robust brand leak alerting systems, ensuring that any compromised or leaked information related to your organization is promptly detected and addressed.

Next Steps

The emergence of LandFall highlights the ongoing threat posed by mobile spyware. Organizations must take proactive steps to protect themselves against these attacks. For more information on how PurpleOps can help you improve your mobile security posture, please visit our platform or PurpleOps Solutions for a consultation. Consider also exploring our offerings in red team operations and for a comprehensive security assessment. For ransomware protection and supply chain vulnerabilities, check out our supply chain offerings. Also, our dark web monitoring and cyber threat intelligence services can provide you with valuable insights.

FAQ

Q: What is LandFall spyware?

A: LandFall is a newly discovered spyware targeting Samsung devices via a zero-day vulnerability (CVE-2025-21042) in the Android image processing library.

Q: How is LandFall delivered?

A: LandFall is delivered through malicious .DNG images sent via WhatsApp. These images contain embedded malicious code.

Q: What are the capabilities of LandFall spyware?

A: LandFall has extensive spying capabilities, including device fingerprinting, microphone recording, call recording, location tracking, and browsing history access.

Q: Which Samsung devices are targeted by LandFall?

A: LandFall primarily targets Galaxy S22, S23, and S24 series devices, along with Z Fold 4 and Z Flip 4 models.

Q: How can I protect myself from LandFall and similar spyware?

A: To protect yourself, prioritize security awareness training, enforce strong password policies, implement a mobile device management (MDM) solution, regularly review security policies, and stay informed about the latest cyber threats.