Zero-Click Samsung Zero-Day (CVE-2025-21042) Delivered LANDFALL Spyware Via Malicious DNG Images

Estimated reading time: 7 minutes

Key takeaways:

  • LANDFALL spyware infects Samsung Galaxy devices via malicious DNG image files.
  • The vulnerability (CVE-2025-21042) allows for zero-click infection, requiring no user interaction.
  • The spyware grants attackers extensive control over the device, including call recording, location tracking, and file system manipulation.
  • Attackers are suspected to be targeting users in the Middle East.
  • Ensure all Samsung devices are updated with the latest security patches.

Table of Contents:

LANDFALL Spyware: Infection and Capabilities

Researchers have uncovered a new Android spyware family, LANDFALL, which exploits a zero-day vulnerability (CVE-2025-21042) in Samsung’s image processing library. This zero-click Samsung zero-day (CVE-2025-21042) allows attackers to compromise Galaxy devices by embedding the spyware within malicious DNG image files.

The spyware campaign, active since mid-2024, appears to target users in the Middle East. The attack vector involves sending malicious DNG (Digital Negative) image files through WhatsApp, enabling zero-click infection and complete device surveillance.

LANDFALL exploits a flaw in libimagecodec.quram.so, a Samsung library responsible for image decoding. Attackers embed a ZIP archive containing the spyware payload inside the malformed DNG image file. Opening or previewing the image triggers the exploit silently, extracting shared object (.so) binaries from the ZIP archive and executing them on the device. This requires no user interaction, characteristic of zero-click exploits used by commercial spyware platforms.

LANDFALL is designed for Samsung Galaxy models, including the S22, S23, S24, Z Fold4, and Z Flip4. Once installed, it gives attackers extensive control and visibility into the device:

  • Recording calls and ambient audio.
  • Tracking location and monitoring installed applications.
  • Detecting debugging frameworks such as Frida and Xposed to avoid analysis.
  • Manipulating file systems and app directories, especially targeting WhatsApp’s media folder for persistence.

The core module, b.so, acts as a backdoor loader, while l.so manipulates SELinux policies to escalate privileges and ensure persistence. The spyware communicates with command-and-control (C2) servers via HTTPS over nonstandard ephemeral ports, sending encrypted JSON payloads containing device identifiers, configuration keys, and agent status.

Infrastructure and Attribution

Unit 42 identified six active C2 domains, including brightvideodesigns[.]com and healthyeatingontherun[.]com, resolving to IP addresses geolocated in Europe and the Middle East. VirusTotal submissions indicate that infected DNG samples originated from users in Iraq, Iran, Turkey, and Morocco, suggesting a regional espionage operation. Turkey’s national CERT (USOM) has flagged IP addresses associated with LANDFALL’s C2 infrastructure as APT-related and mobile-focused.

While definitive attribution is pending, the report points to similarities with commercial spyware vendors. The term “Bridge Head” within LANDFALL’s debug strings is a codename used by private-sector offensive actors (PSOAs) like NSO Group, Variston, Cytrox, and Quadream. Additionally, LANDFALL’s infrastructure and tradecraft resemble Stealth Falcon, a group linked to the United Arab Emirates (UAE) and known for deploying surveillance tools in the Middle East.

Technical Analysis: How LANDFALL Works

The attack hinges on a malformed DNG image file with an appended ZIP archive. The vulnerability, CVE-2025-21042, lies within Samsung’s libimagecodec.quram.so library. When the image is processed, the library fails to properly handle the malformed DNG structure, leading to the execution of arbitrary code.

The embedded ZIP archive contains .so files, which are shared object libraries in Android, similar to DLLs in Windows. These libraries contain the malicious code that makes up the LANDFALL spyware. The exploit extracts and executes these libraries directly on the device, bypassing normal app installation procedures. The use of extension methods allows developers to add new methods to existing types without modifying the original code.

The spyware then establishes a connection to its C2 server, sending device information and receiving commands. It leverages techniques to persist on the device, even after a reboot, and attempts to evade detection by security software. Its ability to manipulate SELinux policies is particularly concerning, as it can weaken the device’s security framework.

Practical Takeaways

Technical Readers:

  • Patching: Ensure all Samsung devices are updated with the latest security patches. CVE-2025-21042 was addressed in April 2025, so verify that devices are running software versions with this fix.
  • Endpoint Detection and Response (EDR): Implement or enhance EDR solutions on mobile devices to detect and block suspicious processes, file modifications, and network connections. Look for unusual activity related to image processing libraries or attempts to manipulate SELinux policies.
  • Network Monitoring: Monitor network traffic for connections to known LANDFALL C2 servers and unusual outbound communication patterns. Use a cyber threat intelligence platform to stay informed about the latest indicators of compromise (IOCs).
  • Application Control: Restrict the execution of applications from untrusted sources. Consider using application whitelisting to allow only approved applications to run on devices.

Non-Technical Readers:

  • Awareness: Educate users about the risks of opening unsolicited image files, especially from unknown senders. Emphasize that even previewing an image can lead to infection.
  • Software Updates: Ensure that devices are configured to automatically install software updates. This is crucial for patching security vulnerabilities.
  • Mobile Security: Consider using mobile security software to detect and prevent malware infections. Choose reputable vendors with a proven track record.
  • Limit Exposure: Be cautious about sharing sensitive information on mobile devices, especially through messaging apps like WhatsApp. Consider using end-to-end encryption for sensitive communications.
  • Supply-Chain Risk Monitoring: Understand and assess the risk associated with third-party software and services used within your organization. Implement a robust supply chain risk management program to identify and mitigate potential vulnerabilities.

PurpleOps Expertise

This LANDFALL campaign demonstrates the importance of proactive threat detection and a layered security approach. PurpleOps provides a range of services to help organizations protect against advanced mobile threats, including:

  • Cyber Threat Intelligence: Our cyber threat intelligence platform provides real-time insights into emerging threats, including malware campaigns targeting mobile devices.
  • Breach Detection: We offer advanced breach detection capabilities to identify and respond to intrusions quickly and effectively.
  • Dark Web Monitoring Service: Our dark web monitoring service can detect if your organization’s data is being sold or traded on underground forums, providing early warning of potential data breaches.
  • Telegram Threat Monitoring: PurpleOps can implement telegram threat monitoring to identify potential threat actors and malicious campaigns.
  • Real-Time Ransomware Intelligence: Leverage our real-time ransomware intelligence to protect your company against these attacks.
  • Underground Forum Intelligence: Proactively defend your business with underground forum intelligence.
  • Brand Leak Alerting: Get ahead of threats with our brand leak alerting services.

The LANDFALL spyware represents a significant threat to Samsung Galaxy users, particularly in the Middle East. Its zero-click infection mechanism and extensive surveillance capabilities make it a dangerous tool in the hands of malicious actors. By taking proactive steps to protect their devices and networks, organizations can reduce their risk of falling victim to this type of attack.

To learn more about how PurpleOps can help you protect your organization from mobile threats and implement a comprehensive security strategy, visit https://www.purple-ops.io/platform/ or contact us for more information.

FAQ

Q: What is a zero-click exploit?

A: A zero-click exploit allows attackers to compromise a device without any user interaction. The user does not need to click on a link, open a file, or perform any action for the exploit to work.

Q: Which Samsung devices are affected by the LANDFALL spyware?

A: LANDFALL is designed for Samsung Galaxy models, including the S22, S23, S24, Z Fold4, and Z Flip4.

Q: How can I protect my Samsung device from LANDFALL?

A: Ensure your device is updated with the latest security patches, be cautious about opening unsolicited image files, and consider using mobile security software.

Q: What is a DNG file?

A: DNG (Digital Negative) is a proprietary, open lossless raw image format developed by Adobe used for digital photography.