A now-patched safety flaw in Samsung Galaxy Android gadgets was exploited as a zero-day to ship a “commercial-grade” Android spyware and adware dubbed LANDFALL in focused assaults within the Center East.
The exercise concerned the exploitation of CVE-2025-21042 (CVSS rating: 8.8), an out-of-bounds write flaw within the “libimagecodec.quram.so” part that would permit distant attackers to execute arbitrary code, in keeping with Palo Alto Networks Unit 42. The problem was addressed by Samsung in April 2025.
“This vulnerability was actively exploited within the wild earlier than Samsung patched it in April 2025, following reviews of in-the-wild assaults,” Unit 42 mentioned. Potential targets of the exercise, tracked as CL-UNK-1054, are positioned in Iraq, Iran, Turkey, and Morocco based mostly on VirusTotal submission knowledge.
The event comes as Samsung disclosed in September 2025 that one other flaw in the identical library (CVE-2025-21043, CVSS rating: 8.8) had additionally been exploited within the wild as a zero-day. There isn’t any proof of this safety flaw being weaponized within the LANDFALL marketing campaign. Samsung didn’t instantly reply to a request for remark.
It is assessed that the assaults concerned sending through WhatsApp malicious photos within the type of DNG (Digital Damaging) information, with proof of LANDFALL samples going all the way in which again to July 23, 2024. That is based mostly on DNG artifacts bearing names like “WhatsApp Picture 2025-02-10 at 4.54.17 PM.jpeg” and “IMG-20240723-WA0000.jpg.”
Itay Cohen, senior principal researcher at Palo Alto Networks Unit 42, informed The Hacker Information that they haven’t noticed any vital purposeful modifications between the samples from July 2024 and February 2025, when the latest LANDFALL artifact was uploaded to VirusTotal.
LANDFALL, as soon as put in and executed, acts as a complete spy instrument, able to harvesting delicate knowledge, together with microphone recording, location, photographs, contacts, SMS, information, and name logs.
Whereas Unit 42 mentioned the exploit chain might have concerned using a zero-click strategy to set off the exploitation of CVE-2025-21042 with out requiring any person interplay, there are at the moment no indications that it has occurred or there exists an unknown safety concern in WhatsApp to help this speculation.
The Android spyware and adware is particularly designed to focus on Samsung’s Galaxy S22, S23, and S24 sequence gadgets, in addition to Z Fold 4 and Z Flip 4, protecting a few of the flagship gadgets from the South Korean electronics chaebol, aside from the most recent era.
 |
| Flowchart for LANDFALL spyware and adware |
It is price noting that across the similar time WhatsApp disclosed {that a} flaw in its messaging app for iOS and macOS (CVE-2025-55177, CVSS rating: 5.4) was chained together with CVE-2025-43300 (CVSS rating: 8.8), a flaw in Apple iOS, iPadOS, and macOS, to probably goal lower than 200 customers as a part of a complicated marketing campaign. Apple and WhatsApp have since patched the issues.
 |
| Timeline for current malicious DNG picture information and related exploit exercise |
Unit 42’s evaluation of the found DNG information present that they arrive with an embedded ZIP file appended to the top of the file, with the exploit getting used to extract a shared object library from the archive to run the spyware and adware. Additionally current within the archive is one other shared object that is designed to control the machine’s SELinux coverage to grant LANDFALL elevated permissions and facilitate persistence.
The shared object that masses LANDFALL additionally communicates with a command-and-control (C2) server over HTTPS to enter right into a beaconing loop and obtain unspecified next-stage payloads for subsequent execution.
“At this level, we won’t share particulars in regards to the next-stage payloads delivered from the C2 server,” Cohen mentioned. “What we are able to say is that LANDFALL is a modular spyware and adware framework — the loader we analyzed is clearly designed to fetch and execute further parts from the C2 infrastructure. These later levels probably lengthen its surveillance and persistence capabilities, however they weren’t recovered within the samples out there to us.”
It is at the moment not recognized who’s behind the spyware and adware or the marketing campaign. That mentioned, Unit 42 mentioned LANDFALL’s C2 infrastructure and area registration patterns dovetail with that of Stealth Falcon (aka FruityArmor), though, as of October 2025, no direct overlaps between the 2 clusters have been detected.
The findings counsel that the delivering LANDFALL is probably going a part of a broader DNG exploitation wave that additionally hit iPhone gadgets through the aforementioned exploit chains. Additionally they spotlight how refined exploits can stay accessible in public repositories for prolonged durations of time, flying below the radar till they are often absolutely analyzed.
“We do not imagine this particular exploit remains to be getting used, since Samsung patched it in April 2025,” Cohen mentioned. “Nevertheless, associated exploit chains affecting Samsung and iOS gadgets have been noticed as just lately as August and September, indicating that related campaigns remained lively till very just lately. Some infrastructure that could be associated to LANDFALL additionally stays on-line, which might counsel ongoing or follow-on exercise by the identical operators.”
(The story was up to date after publication to make clear particulars surrounding using WhatsApp as a distribution vector for the malware and extra insights from Unit 42.)
