Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware

A critical security vulnerability in Samsung Galaxy devices has been exploited to deliver sophisticated Android spyware named LANDFALL. The zero-day flaw in Samsung's image processing library enabled attackers to target users in the Middle East through malicious DNG image files, according to Palo Alto Networks Unit 42.

The vulnerability (CVE-2025-21042), which received a high severity CVSS score of 8.8, allowed remote attackers to execute arbitrary code through an out-of-bounds write flaw in Samsung's "libimagecodec.quram.so" component. Samsung patched the issue in April 2025, but not before it was actively exploited in targeted attacks.

Attack Details and Impact

The exploitation campaign, tracked as CL-UNK-1054, primarily targeted users in Iraq, Iran, Turkey, and Morocco. The attacks appear to have begun as early as July 2024, with evidence of LANDFALL samples dating back to that period.

According to Itay Cohen, senior principal researcher at Unit 42, the attack likely involved sending malicious DNG (Digital Negative) files via WhatsApp. Filenames like "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg" and "IMG-20240723-WA0000.jpg" were discovered in the artifacts.

"This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks," Unit 42 stated in their report.

The spyware specifically targeted Samsung's premium devices, including:

• Galaxy S22 series
• Galaxy S23 series
• Galaxy S24 series
• Z Fold 4
• Z Flip 4

Notably, the latest generation of Samsung devices appears to have been excluded from the targeting.

LANDFALL Capabilities and Operation

LANDFALL functions as a comprehensive surveillance tool with extensive data collection capabilities. Once installed, the spyware can harvest sensitive information including:

• Microphone recordings
• Real-time location data
• Photos stored on the device
• Contact information
• SMS messages
• Call logs
• Files and documents

The attack mechanism involves embedding a ZIP file within a DNG image. When the vulnerability is exploited, it extracts a shared object library that runs the spyware. Additionally, the archive contains another component designed to manipulate the device's SELinux policy, granting the malware elevated permissions and enabling persistence.

This sophisticated attack method represents one of the most dangerous zero-day exploits discovered recently, as it required no user interaction beyond receiving an image file.

The spyware establishes communication with a command-and-control (C2) server over HTTPS, entering into a beaconing loop to receive additional payloads for execution.

"LANDFALL is a modular spyware framework," Cohen explained. "The loader we analyzed is clearly designed to fetch and execute additional components from the C2 infrastructure. Those later stages likely extend its surveillance and persistence capabilities, but they weren't recovered in the samples available to us."

Technical Analysis of the Exploit Chain

The LANDFALL attack follows a sophisticated multi-stage process that begins with the exploitation of the Samsung image processing vulnerability. Security researchers at ESET have documented similar attack patterns where seemingly innocent image files can contain malicious payloads.

1. Initial Infection: The victim receives a malicious DNG file, typically via WhatsApp
2. Exploitation: When the image is processed, the vulnerability in Samsung's library is triggered
3. Payload Delivery: The hidden ZIP file is extracted and executed
4. Privilege Escalation: SELinux policies are modified to grant extended permissions
5. Persistence Establishment: The malware ensures it survives device reboots
6. Command & Control: Connection to C2 infrastructure enables ongoing control

This methodical approach demonstrates the hallmarks of advanced persistent threat malware deployment, showing significant sophistication in both technical implementation and operational security.

Broader Context and Related Vulnerabilities

This exploit appears to be part of a larger pattern of attacks. Samsung disclosed in September 2025 that another flaw (CVE-2025-21043) in the same library had also been exploited as a zero-day, though there's no evidence linking it to the LANDFALL campaign.

Around the same time period, WhatsApp reported that a vulnerability in its messaging app (CVE-2025-55177) was chained with an Apple iOS/macOS flaw (CVE-2025-43300) to target approximately 200 users in a sophisticated campaign. Both WhatsApp and Apple have patched these vulnerabilities.

Unit 42's analysis revealed similarities between LANDFALL's C2 infrastructure and domain registration patterns with those of Stealth Falcon (also known as FruityArmor), though no direct connections have been confirmed as of October 2025.

Threat Actor Attribution and Motivation

While definitive attribution remains challenging, several indicators suggest this campaign may be linked to state-sponsored activities:

• Targeted Regions: The focus on Middle Eastern countries aligns with known geopolitical interests
• Sophisticated Implementation: The technical complexity indicates advanced capabilities
• Limited Scope: The narrow targeting suggests intelligence gathering rather than financial motivation
• Infrastructure Similarities: Connections to previously identified threat groups point to established actors

Security researchers note that mobile security vulnerabilities are increasingly exploited by nation-state actors seeking to conduct surveillance on specific targets.

Response and Mitigation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-21042 to its Known Exploited Vulnerabilities (KEV) catalog on November 10, 2025. Federal Civilian Executive Branch (FCEB) agencies are required to remediate the flaw by December 1, 2025.

"Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so," CISA stated. "This vulnerability could allow remote attackers to execute arbitrary code."

While Samsung has patched the specific vulnerability, researchers believe similar exploit chains affecting both Samsung and iOS devices remained active until recently.

"We don't believe this specific exploit is still being used, since Samsung patched it in April 2025," Cohen noted. "However, related exploit chains affecting Samsung and iOS devices were observed as recently as August and September, indicating that similar campaigns remained active until very recently."

Recommended Security Measures

Given the sophisticated nature of this threat, users should take several precautions:

1. Apply Security Updates Immediately: Ensure your Samsung device has all the latest security updates installed
2. Exercise Caution with Media Files: Be cautious about opening image files from unknown sources, especially via messaging apps
3. Implement Additional Security: Consider using additional security software that can detect suspicious behaviors
4. Monitor Device Performance: Watch for unusual battery drain or performance issues that could indicate spyware presence
5. Enable Two-Factor Authentication: Protect accounts that might be compromised if device security is breached
6. Review App Permissions: Regularly audit which applications have access to sensitive features like the camera, microphone, and location services

For organizations managing mobile devices, implementing a comprehensive mobile device management (MDM) solution is essential to ensure timely patching and security policy enforcement across all devices.

This incident highlights the ongoing cat-and-mouse game between security researchers and sophisticated threat actors who continue to find new ways to exploit mobile devices. For Samsung users, it serves as an important reminder to keep devices updated with the latest security patches as soon as they become available.