Zero-Day Exploit Targets Samsung Devices to Deliver “LANDFALL” Android Spyware

Zero-Day Exploit Targets Samsung Devices to Deliver “LANDFALL” Android Spyware

A high-severity zero-day vulnerability in Samsung Galaxy Android devices has been exploited to deploy LANDFALL, a commercial-grade Android spyware targeting users in the Middle East.

Discovered by Palo Alto Networks Unit 42, the flaw — tracked as CVE-2025-21042 (CVSS 8.8) — resided in the libimagecodec.quram.so component, allowing remote attackers to execute arbitrary code through malicious image files.

Samsung patched the vulnerability in April 2025, but evidence confirms it was actively exploited months before disclosure, in a campaign codenamed CL-UNK-1054.

⚙️ The Exploit Chain

According to forensic analysis, attackers weaponized malicious DNG (Digital Negative) image files and distributed them via WhatsApp, using file names designed to appear authentic — such as “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg.”

Once opened, these images triggered an out-of-bounds write condition, enabling code execution and installing the LANDFALL spyware payload.

The malware primarily targeted Samsung Galaxy S22, S23, and S24, along with Z Fold 4 and Z Flip 4 models — devices common among executives, journalists, and government personnel.

🧠 A Sophisticated Android Espionage Platform

Once deployed, LANDFALL functions as a modular surveillance framework, giving attackers deep access to the victim’s device.

Its capabilities include:

• Recording audio via the microphone

• Capturing photos, location data, SMS, contacts, and call logs

• Accessing stored files and app notifications

• Maintaining persistence through SELinux manipulation

Unit 42’s reverse engineering revealed that LANDFALL extracts a shared object library from an embedded ZIP archive inside the malicious image.

The loader then modifies SELinux policies to escalate privileges, communicates with C2 servers over HTTPS, and fetches additional surveillance modules for continuous data collection.

🕵️ A Commercial Spyware Operation

LANDFALL bears hallmarks of professional-grade development. Its modular design, encryption routines, and infrastructure management mirror those seen in state-sponsored espionage frameworks such as Stealth Falcon (a.k.a. FruityArmor).

While a direct attribution remains unconfirmed, overlapping domain registration patterns and infrastructure suggest LANDFALL may share operators or techniques with established threat clusters in the Middle East region.

Unit 42 reported LANDFALL samples dating back to July 2024, with operational continuity observed through February 2025, indicating a long-running, stealth campaign.

🔍 Zero-Click Potential — But Not Confirmed

Researchers speculate that attackers may have used a zero-click delivery vector, meaning no user interaction was required to trigger infection. However, no conclusive evidence yet supports this theory, nor any link to unpatched WhatsApp vulnerabilities.

Still, the attack highlights how seemingly benign file types like images can serve as Trojan horses for sophisticated exploits, particularly when delivered via trusted messaging platforms.

🛡️ CISA and Samsung Response

In response to confirmed exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-21042 to its Known Exploited Vulnerabilities (KEV) catalog on November 10, 2025, mandating federal agencies to remediate affected systems by December 1, 2025.

Samsung acknowledged the issue and issued a fix in its April 2025 security update, later confirming a related flaw (CVE-2025-21043) in the same component that was also exploited in the wild but not linked to LANDFALL.

📊 Elliptic Systems’ Analysis

LANDFALL represents a significant evolution in Android spyware design — blending zero-day exploitation, modular payloads, and encrypted communications to bypass mobile defenses.

The use of legitimate messaging apps like WhatsApp as a delivery vehicle adds an alarming layer of social camouflage, effectively weaponizing trust to reach targets.

Such tactics underscore the urgent need for AI-powered mobile threat detection, Zero Trust mobile architectures, and continuous endpoint monitoring across enterprise networks.

🧩 Elliptic Systems Recommendations

To mitigate risks from emerging Android zero-day spyware threats like LANDFALL:

✅ Patch immediately — ensure April 2025 or later Samsung updates are installed on all devices.
✅ Disable media auto-downloads in messaging apps like WhatsApp.
✅ Deploy enterprise-grade MTD (Mobile Threat Defense) solutions.
✅ Implement Zero Trust policies for all mobile endpoints.
✅ Monitor for unusual data transfers or app behavior tied to system processes.

As attackers refine their tactics, mobile zero-days are fast becoming the new frontier of espionage.
Organizations that fail to secure their mobile ecosystem risk turning their most trusted devices into surveillance tools.