A now-patched security flaw in Samsung Galaxy Android devices was used as a zero-day to distribute “commercial-grade” Android spyware. landslide In targeted attacks in the Middle East.
This activity involved exploitation CVE-2025-21042 (CVSS Score: 8.8), according to Palo Alto Networks Unit 42, there is an out-of-bounds write flaw in the “libimagecodec.quram.so” component that could allow remote attackers to execute arbitrary code. This issue was addressed by Samsung in April 2025.
“This vulnerability was actively exploited in the wild before Samsung fixed it after reports of wild attacks in April 2025,” Unit 42 said. Potential targets of activity, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco based on VirusTotal submission data.
This development came after Samsung revealed in September 2025 that another flaw in the same library (CVE-2025-21043, CVSS score: 8.8) was also used as a zero-day. There is no evidence that this security flaw was weaponized in the landfall operation. Samsung did not immediately respond to a request for comment.
It has been assessed that the attacks involved sending malicious images via WhatsApp in the form of DNG (digital negative) files, with evidence of landfall samples dating back to July 23, 2024. It is based on DNG artifacts with names like “WhatsApp Image 2025-02-10 4.54.17 PM.jpeg”. “IMG-20240723-WA0000.jpg.”
Itay Cohen, senior principal researcher at Palo Alto Networks Unit 42, told The Hacker News that they observed no significant functional changes between samples from July 2024 and February 2025, when the most recent landfall artifact was uploaded to VirusTotal.
Landfall, once installed and executed, acts as a comprehensive spying tool, capable of collecting sensitive data including microphone recordings, location, photos, contacts, SMS, files, and call logs.
While Unit 42 states that the exploit chain may have included the use of a zero-click approach to trigger the exploit of CVE-2025-21042 without requiring any user interaction, there is currently no indication that this has occurred or that any unknown security issue exists in WhatsApp to support this hypothesis.
The Android spyware is specifically designed to target Samsung’s Galaxy S22, S23 and S24 series devices as well as the Z Fold 4 and Z Flip 4, covering some of the South Korean electronics chaebol’s flagship devices, with the exception of the latest generation.
|
| Flowchart for Landfall Spyware |
It’s worth noting that around the same time WhatsApp disclosed that a flaw in its messaging app for iOS and macOS (CVE-2025-55177, CVSS score: 5.4) was combined with CVE-2025-43300 (CVSS score: 8.8), a flaw in Apple iOS, iPadOS, and macOS, potentially as part of a sophisticated campaign to target fewer than 200 users. After this, Apple and WhatsApp have removed the flaws.
|
| Timeline for recent malicious DNG image files and related exploit activity |
Unit 42’s analysis of the discovered DNG files shows that they come with an embedded zip file at the end of the file, in which an exploit is used to extract a shared object library from the archive in order to run the spyware. Another shared object also exists in the repository that is designed to grant LANDFALL elevated permissions and manipulate the device’s SELinux policy to facilitate persistence.
The shared object that loads LANDFALL also communicates with the command-and-control (C2) server over HTTPS to enter the beaconing loop and receive the unspecified next-stage payload for subsequent execution.
“At this time, we cannot share details about the next phase of payloads delivered from the C2 servers,” Cohen said. “What we can say is that Landfall is a modular spyware framework – the loader we analyzed is apparently designed to fetch and execute additional components from the C2 infrastructure. Its monitoring and persistence capabilities are likely to be expanded in later stages, but they were not recovered in the samples available to us.”
At the moment it is not known who is behind the spyware or the campaign. As noted, Unit 42 stated that Landfall’s C2 infrastructure and domain registration patterns match those of the Stealth Falcon (aka FruityArmor), however, as of October 2025, no direct overlap has been found between the two groups.
The findings suggest that Distributed Landfall is likely part of a broader DNG exploit wave that also affects iPhone devices through the above exploit chains. They also highlight how sophisticated exploits can remain accessible in public repositories for long periods of time, flying under the radar until they can be fully analyzed.
“We do not believe this specific exploit is still being used, as Samsung patched it in April 2025,” Cohen said. “However, related exploit chains affecting Samsung and iOS devices were most recently observed in August and September, indicating that similar campaigns remained active until recently. Some infrastructure that may be related to LANDFALL also remains online, which may suggest ongoing or follow-up activity by the same operators.”
(The story was updated after publication to clarify details about the use of WhatsApp as a distribution vector for the malware and additional insights from Unit 42.)
