.png){kind=logo}
LANDFALL Android Spyware Exploiting CVE-2025-21042 Zero-Day to Target Samsung Galaxy Devices
- Rescana
- 55 minutes ago
- 5 min read
Executive Summary
A sophisticated Android spyware campaign leveraging the newly discovered LANDFALL malware has been identified targeting users of Samsung Galaxy devices. This campaign exploits a critical zero-day vulnerability, CVE-2025-21042, in the Samsung image processing library, libimagecodec.quram.so, enabling remote code execution via malicious DNG (Digital Negative) image files. The attack vector is primarily through WhatsApp, where threat actors deliver weaponized images to victims. Once compromised, affected devices are subject to extensive surveillance, data exfiltration, and persistent control by the adversary. The campaign, active from mid-2024 until the release of a patch in April 2025, has predominantly targeted individuals in the Middle East, with evidence of highly selective victimology and advanced evasion techniques. This advisory provides a comprehensive technical breakdown, threat actor insights, exploitation details, and actionable mitigation guidance for organizations and individuals at risk.
Threat Actor Profile
The operators behind LANDFALL exhibit hallmarks of a highly resourced, technically adept group, likely operating as a Private Sector Offensive Actor (PSOA). Infrastructure analysis and tradecraft suggest possible links to Middle Eastern APTs, with overlaps in tactics and infrastructure with groups such as Stealth Falcon and vendors like Variston (as referenced by Google TAG and ESET). The campaign’s infrastructure, including domains such as brightvideodesigns.com and hotelsitereview.com, has been flagged by the Turkish National CERT (USOM) as associated with advanced persistent threats. The targeting pattern, use of zero-day exploits, and operational security measures indicate a focus on high-value individuals, likely for espionage or intelligence collection purposes. No definitive attribution has been made public, but the sophistication and selectivity of the operation point to a well-funded, possibly state-aligned or mercenary threat actor.
Technical Analysis of Malware/TTPs
The LANDFALL malware leverages a critical vulnerability, CVE-2025-21042, in the Samsung image processing library libimagecodec.quram.so. This flaw allows for an out-of-bounds write condition, enabling remote code execution when a specially crafted DNG image is processed. The infection chain begins with the delivery of a malicious DNG file, often disguised with filenames such as "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg", sent via WhatsApp. Upon opening or previewing the image, the exploit triggers, extracting embedded ELF shared objects—specifically, b.so (the primary loader/backdoor) and l.so (a SELinux policy manipulator).
The loader establishes persistence by modifying SELinux policies and altering the file system, ensuring the malware survives reboots and system updates. It then downloads additional payloads from command-and-control (C2) servers, communicating over HTTPS with non-standard ports and employing device fingerprinting and encrypted configuration files to evade detection. The malware is capable of extensive surveillance, including microphone and camera activation, call recording, location tracking, SMS and contact exfiltration, and monitoring of installed applications and browsing history. Advanced evasion techniques are employed, such as detection of debugging tools (Frida, Xposed), dynamic library loading, and certificate pinning to thwart network interception.
The C2 infrastructure is robust, utilizing multiple domains and IP addresses, with rapid rotation and ephemeral ports to complicate tracking and takedown efforts. The malware’s modular architecture allows for rapid adaptation and deployment of new capabilities as required by the operators.
Exploitation in the Wild
The LANDFALL campaign has been observed in the wild since at least July 2024, with a significant uptick in activity through early 2025. The primary delivery vector is through WhatsApp, leveraging the platform’s popularity and the trust users place in received media. Malicious DNG images are sent to targeted individuals, exploiting the zero-day vulnerability upon viewing or previewing the file. The campaign has been highly targeted, with confirmed victims in Iraq, Iran, Turkey, and Morocco, as evidenced by VirusTotal submissions and regional CERT advisories.
The exploitation is characterized by its stealth and selectivity; there is no evidence of widespread indiscriminate attacks. Instead, the operators appear to focus on individuals of strategic interest, likely for intelligence gathering. The campaign persisted until Samsung released a security patch in April 2025, after which exploitation attempts declined sharply. However, unpatched devices remain vulnerable, and the threat actor’s demonstrated capability to exploit zero-day vulnerabilities suggests ongoing risk.
Victimology and Targeting
Analysis of malware samples, C2 telemetry, and open-source intelligence indicates that the LANDFALL campaign is highly targeted, with victims primarily located in the Middle East—specifically Iraq, Iran, Turkey, and Morocco. The selection of targets suggests a focus on individuals of political, diplomatic, or business significance, rather than mass exploitation. The use of WhatsApp as a delivery mechanism further supports the hypothesis of targeted social engineering, as attackers likely leverage compromised or spoofed accounts to deliver malicious payloads to intended victims.
The affected devices are predominantly high-end Samsung Galaxy models, including the S22, S23, S24, Z Fold4, and Z Flip4 series, running firmware versions prior to the April 2025 security update. The campaign’s operational security, including rapid infrastructure rotation and selective targeting, has limited the exposure of the malware, complicating detection and response efforts.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by LANDFALL. All organizations and individuals using Samsung Galaxy devices should ensure that their devices are updated with the April 2025 (or later) security patch, which addresses CVE-2025-21042 and related vulnerabilities. Security teams should monitor for indicators of compromise, including the specific SHA256 hashes of malicious DNG files and ELF components (b.so, l.so), as well as network connections to known C2 domains and IP addresses such as brightvideodesigns.com, hotelsitereview.com, and healthyeatingontherun.com.
Detection strategies should include monitoring for unusual DNG file activity, especially files received via WhatsApp with suspicious naming conventions, and inspecting device logs for evidence of SELinux policy modifications or unauthorized persistence mechanisms. If compromise is suspected, affected devices should be immediately isolated from networks, and a professional incident response team should be engaged to conduct forensic analysis and remediation.
Organizations are encouraged to educate users about the risks of unsolicited media files, even from trusted contacts, and to implement mobile threat defense solutions capable of detecting advanced malware and anomalous device behavior. Regular review of device firmware and application updates, combined with robust endpoint monitoring, will reduce the attack surface for future campaigns.
References
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our platform leverages real-time intelligence, automated workflows, and deep analytics to empower security teams to proactively defend against emerging threats and ensure compliance with industry standards. For more information about how Rescana can help your organization strengthen its cyber resilience, we are happy to answer questions at ops@rescana.com.