Executive Summary

A critical zero-day vulnerability in Samsung Galaxy mobile devices, tracked as CVE-2025-21042, has been actively exploited in the wild to deploy the advanced LANDFALL Android spyware. This campaign, uncovered by Palo Alto Networks Unit 42 and corroborated by multiple threat intelligence sources, leverages a flaw in the libimagecodec.quram.so image processing library. Attackers weaponized specially crafted DNG image files, often delivered via WhatsApp, to achieve zero-click remote code execution on unpatched Samsung devices. The LANDFALL spyware exhibits sophisticated surveillance capabilities, including audio, video, and data exfiltration, and demonstrates advanced persistence and evasion techniques. The campaign has primarily targeted users in the Middle East, with evidence of overlap in infrastructure and tradecraft with known private-sector offensive actors (PSOAs) such as Stealth Falcon and Variston. Immediate patching and proactive threat hunting are strongly recommended for all organizations with exposure to affected Samsung devices.

Threat Actor Profile

The threat actor behind the LANDFALL campaign remains unattributed but demonstrates hallmarks of a highly resourced, technically adept group with access to commercial-grade offensive security tooling. Infrastructure analysis reveals significant overlap with PSOAs, notably Stealth Falcon (a UAE-based APT group) and the now-defunct Variston (Barcelona-based spyware vendor). The campaign’s operational security, use of zero-day exploits, and targeting patterns suggest a nexus with state-aligned or mercenary cyber-espionage entities. The actor, tracked by Unit 42 as CL-UNK-1054, has leveraged infrastructure previously associated with other high-profile surveillance operations, indicating either shared tooling or a common supplier ecosystem. The campaign’s focus on Middle Eastern targets, combined with the use of advanced anti-forensic and anti-analysis techniques, underscores a strategic intent to compromise high-value individuals in sensitive sectors.

Technical Analysis of Malware/TTPs

The attack chain begins with the delivery of a malicious DNG image file, typically masquerading as a legitimate WhatsApp image (e.g., “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg”). Upon receipt, the vulnerable Samsung image processing library (libimagecodec.quram.so) is triggered, exploiting CVE-2025-21042 to achieve remote code execution without user interaction. The DNG file contains an embedded ZIP archive, which is extracted and executed in-memory. This archive delivers two primary payloads: b.so (an ARM64 ELF loader/backdoor, codenamed “Bridge Head”) and l.so (a SELinux policy manipulator, extracted from an XZ-compressed ELF binary).

LANDFALL establishes persistence by manipulating SELinux policies, enabling the spyware to survive device reboots and evade standard security controls. The malware employs process injection, anti-debugging, and anti-instrumentation techniques, including detection of Frida and Xposed frameworks, to thwart analysis and dynamic instrumentation. Once operational, LANDFALL exfiltrates a wide array of sensitive data, including microphone recordings, call audio, geolocation, photos, contacts, call logs, SMS messages, arbitrary files, and browser/database contents.

Command-and-control (C2) communication is conducted over HTTPS using non-standard ports, with certificate pinning and custom POST requests containing device and agent metadata. The C2 infrastructure is distributed across multiple domains and IP addresses, including brightvideodesigns[.]com, hotelsitereview[.]com, healthyeatingontherun[.]com, and projectmanagerskills[.]com. The malware’s modular architecture and robust evasion capabilities position it among the most advanced Android surveillance tools observed to date.

Exploitation in the Wild

The LANDFALL campaign has been active since at least July 2024, with exploitation continuing until the release of Samsung’s April 2025 security patch. Telemetry from VirusTotal and national CERTs, including the Turkish National CERT (USOM), indicates that the campaign has primarily targeted users in Iraq, Iran, Turkey, and Morocco. The attack vector is predominantly zero-click, with malicious DNG images delivered via WhatsApp exploiting the vulnerable image processing library upon receipt, requiring no user interaction.

Analysis of the C2 infrastructure and malware samples reveals significant overlap with previous PSOA operations, including those attributed to Stealth Falcon and Variston. The campaign’s operational tempo, targeting, and technical sophistication suggest a focus on government, political, and dissident targets within the Middle East. The use of zero-day exploits and advanced anti-forensic techniques has enabled the threat actor to maintain a low profile and evade detection for an extended period.

Victimology and Targeting

The primary victims of the LANDFALL campaign are users of Samsung Galaxy devices, specifically the S22, S23, S24, Z Fold4, and Z Flip4 models running Android 13, 14, or 15 with firmware versions prior to the April 2025 security update. The campaign’s geographic focus is the Middle East, with confirmed targeting in Iraq, Iran, Turkey, and Morocco. While the specific sectors targeted have not been publicly disclosed, the use of commercial-grade spyware and the regional focus strongly suggest an interest in government, political, and civil society organizations, as well as high-profile individuals such as journalists, activists, and dissidents.

The delivery mechanism—malicious DNG images sent via WhatsApp—enables the threat actor to target individuals with high precision, leveraging social engineering or compromised accounts to deliver the exploit. The zero-click nature of the attack significantly increases the risk to end users, as exploitation occurs automatically upon receipt of the malicious file.

Mitigation and Countermeasures

Organizations and individuals using Samsung Galaxy devices must immediately apply the April 2025 security update (or later) to remediate CVE-2025-21042 and the September 2025 update for CVE-2025-21043. Security teams should proactively hunt for indicators of compromise, including the presence of malicious DNG files with known hashes and suspicious ELF binaries (b.so, l.so) in device storage, particularly within /data/data/com.samsung.ipservice/files/ and WhatsApp media directories.

Network monitoring should be configured to detect and block outbound HTTPS traffic to the identified C2 domains and IP addresses, especially on non-standard ports. Security solutions should be updated to detect the unique anti-analysis and persistence techniques employed by LANDFALL, including SELinux policy manipulation and process injection. Users should be educated on the risks of unsolicited media files, even from trusted contacts, and organizations should consider implementing mobile threat defense solutions capable of detecting advanced Android malware.

Incident response teams should review device logs for evidence of SELinux policy changes, unknown ELF binaries, and anomalous network activity. Collaboration with mobile device management (MDM) providers and regular threat intelligence updates are essential to maintain situational awareness and rapidly respond to emerging threats.

References

Palo Alto Networks Unit 42: LANDFALL Technical Analysis NVD: CVE-2025-21042 The Hacker News: Samsung Zero-Day Flaw Exploited TechCrunch: Landfall spyware abused zero-day to hack Samsung Galaxy phones Turkish National CERT (USOM): IP Blacklist Google TAG: Buying Spying (PDF) ESET: Stealth Falcon preying over Middle Eastern skies with Deadglyph Check Point Research: Stealth Falcon's Exploit of Microsoft Zero Day

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for critical assets and sensitive data.

For questions or further assistance, please contact us at ops@rescana.com.