Executive Summary

A highly sophisticated Android spyware campaign, identified as LANDFALL, has been uncovered targeting users of Samsung Galaxy devices. This operation leveraged a critical zero-day vulnerability, CVE-2025-21042, within the Samsung image processing library, specifically libimagecodec.quram.so. The attack vector involved the delivery of malicious DNG (Digital Negative) image files, often transmitted via WhatsApp, which exploited the vulnerability in a zero-click manner—requiring no user interaction for successful compromise. The campaign was active in the wild from at least July 2024 until the release of a security patch by Samsung in April 2025. The primary targets were located in the Middle East, with confirmed victims in Iraq, Iran, Turkey, and Morocco. The technical sophistication, infrastructure, and tradecraft suggest the involvement of a Private Sector Offensive Actor (PSOA) with capabilities on par with known commercial spyware vendors.

Threat Actor Profile

The LANDFALL campaign exhibits hallmarks of a commercial spyware operation, likely orchestrated by a PSOA. The infrastructure and operational techniques show significant overlap with those used by Stealth Falcon (APT-C-39), a group previously linked to UAE interests, although no direct attribution has been established. The malware’s loader, internally named “Bridge Head,” is a term previously associated with products from vendors such as NSO Group, Variston, Cytrox, and Quadream. The campaign’s infrastructure, including domains and IP addresses, has been flagged by the Turkish National CERT (USOM) as APT-related, further supporting the hypothesis of a well-resourced, regionally focused threat actor. The operation’s targeting of high-value individuals and entities in the Middle East, combined with advanced evasion and persistence mechanisms, underscores the threat’s commercial and potentially state-aligned nature.

Technical Analysis of Malware/TTPs

The LANDFALL malware leverages a critical vulnerability, CVE-2025-21042, in the Samsung image processing library libimagecodec.quram.so. This vulnerability allows for arbitrary code execution when a specially crafted DNG image is processed by the device. The infection chain begins with the delivery of a malicious DNG file, typically disguised as a legitimate image (e.g., “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg”), sent via WhatsApp. Upon receipt, the image is automatically processed by the device’s media library, triggering the exploit without any user interaction (zero-click).

The exploit payload consists of embedded ARM64 ELF shared objects, notably b.so (the primary loader) and l.so (responsible for SELinux policy manipulation). The loader establishes persistence by modifying SELinux policies, enabling privilege escalation and ensuring the malware survives device reboots and system updates. The spyware’s capabilities are extensive, including ambient microphone recording, call recording, GPS-based location tracking, exfiltration of photos and contacts, and theft of SMS and messaging data. Advanced evasion techniques are employed, such as anti-debugging, anti-instrumentation (targeting Frida and Xposed frameworks), dynamic library loading, and certificate pinning to thwart network-based detection.

The command and control (C2) infrastructure is distributed across multiple domains and IP addresses, including brightvideodesigns[.]com, healthyeatingontherun[.]com, hotelsitereview[.]com, and projectmanagerskills[.]com, with backend servers hosted on IPs such as 194.76.224[.]127 and 91.132.92[.]35. The malware communicates with these C2 servers to exfiltrate data and receive operational commands.

The attack chain is further characterized by the use of zero-click exploitation, meaning the user does not need to open or interact with the malicious image for the device to be compromised. This is achieved by exploiting the automatic image processing routines within the Samsung media framework. The malware’s persistence and stealth are reinforced by its ability to manipulate low-level security policies and evade both static and dynamic analysis.

Exploitation in the Wild

The LANDFALL campaign was active in the wild for at least nine months, from July 2024 until the release of the Samsung security patch in April 2025. During this period, the malware was distributed via WhatsApp image sharing, exploiting the widespread use of the platform for personal and professional communication. The campaign’s zero-click nature allowed it to bypass traditional user awareness and phishing defenses, making detection and response particularly challenging.

Samples of the malicious DNG files and associated ELF payloads were uploaded to VirusTotal but remained undetected for several months, highlighting the malware’s sophistication and the limitations of conventional antivirus solutions. The Turkish National CERT (USOM) identified and blacklisted several C2 IPs, confirming the campaign’s association with advanced persistent threat (APT) activity. The operation’s focus on the Middle East, combined with the use of commercial-grade spyware techniques, suggests a targeted surveillance objective against high-value individuals and organizations.

Victimology and Targeting

The primary victims of the LANDFALL campaign were users of Samsung Galaxy devices in the Middle East, specifically in Iraq, Iran, Turkey, and Morocco. The targeting pattern indicates a focus on high-value individuals, including government officials, journalists, activists, and private sector executives. The selection of Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 devices reflects the popularity of these models among the targeted demographic.

The campaign’s delivery mechanism—malicious images sent via WhatsApp—enabled the attackers to reach victims with minimal operational risk and high success rates. The use of zero-click exploitation further increased the likelihood of successful compromise, as victims were not required to interact with the malicious payload. The operation’s regional focus and victim profile are consistent with previous campaigns attributed to commercial spyware vendors operating in the Middle East.

Mitigation and Countermeasures

To mitigate the risk posed by the LANDFALL malware, it is imperative that all Samsung Galaxy devices are updated with the April 2025 (or later) security patches, which address CVE-2025-21042 and related vulnerabilities. Organizations should monitor network and endpoint logs for indicators of compromise (IOCs), including the hashes of known malicious DNG and ELF samples, as well as connections to the identified C2 domains and IP addresses.

Security teams should implement advanced mobile threat detection solutions capable of identifying anomalous behavior associated with spyware activity, such as unauthorized microphone access, unexpected data exfiltration, and SELinux policy modifications. Regular security awareness training should emphasize the risks associated with unsolicited media files, even when received via trusted platforms like WhatsApp.

In the event of suspected compromise, immediate isolation of affected devices is recommended, followed by forensic analysis and engagement with a professional incident response team. Organizations are encouraged to leverage threat intelligence feeds and collaborate with industry partners to stay informed of emerging mobile threats.

References

Palo Alto Networks Unit 42: LANDFALL Analysis – https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/ NVD - CVE-2025-21042 – https://nvd.nist.gov/vuln/detail/CVE-2025-21042 Samsung Mobile Security Updates – https://security.samsungmobile.com/securityUpdate.smsb WhatsApp Security Advisories 2025 – https://www.whatsapp.com/security/advisories Turkish National CERT (USOM) - IP Blacklist – https://www.usom.gov.tr/ Google TAG: Buying Spying (PDF) – https://blog.google/threat-analysis-group/buying-spying/ ESET: Stealth Falcon APT – https://www.welivesecurity.com/en/eset-research/stealth-falcon-middle-east/ Check Point: Stealth Falcon Exploits – https://research.checkpoint.com/2023/stealth-falcon-exploit/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and risk assessment capabilities empower security teams to proactively identify and address vulnerabilities, ensuring robust protection against emerging threats. For more information about our platform and services, or to discuss your organization’s cybersecurity needs, we are happy to answer questions at ops@rescana.com.