New Landfall Spyware Exploited Samsung Zero-day Via Whatsapp Messages
A threat actor exploited a zero-day vulnerability in Samsung’s Android image processing library to deploy a previously unknown spyware called 'LandFall' using malicious images sent over WhatsApp.
The security issue was patched this year in April, but researchers found evidence that the LandFall operation was active since at least July 2024, and targeted select Samsung Galaxy users in the Middle East.
Identified as CVE-2025-21042, the zero-day is an out-of-bounds write in libimagecodec.quram.so and has a critical severity rating. A remote attacker successfully exploiting it can execute arbitrary code on a target device.
According to researchers at Palo Alto Networks’ Unit 42, the LandFall spyware is likely a commercial surveillance framework used in targeted intrusions.
The attacks begin with the delivery of a malformed .DNG raw image format with a .ZIP archive appended towards the end of the file.
Unit 42 researchers retrieved and examined samples that were submitted to the VirusTotal scanning platform starting July 23, 2024, indicating WhatsApp as the delivery channel, based on the filenames used.
From a technical perspective, the DNGs embed two main components: a loader (b.so) that can retrieve and load additional modules, and a SELinux policy manipulator (l.so), which modifies security settings on the device to elevate permissions and establish persistence.
According to the researchers, LandFall can fingerprint devices based on hardware and SIM IDs (IMEI, IMSI, the SIM card number, user account, Bluetooth, location services, or the list of installed applications.
However, additional capabilities observed include executing modules, achieving persistence, evading detection, and bypassing protections. Among the spying features, the malware counts:
According to Unit 42’s analysis, the spyware targets Galaxy S22, S23, and S24 series devices, as well as Z Fold 4 and Z Flip 4, covering a broad range of Samsung’s latest flagship models, excluding the latest S25 series devices.
