Cybersecurity researchers at Unit 42 have uncovered a classy Android spyware and adware marketing campaign that exploited a beforehand unknown zero-day vulnerability in Samsung Galaxy gadgets.
The malware, dubbed LANDFALL, leveraged a essential vulnerability in Samsung’s picture processing library to ship commercial-grade surveillance capabilities by way of maliciously crafted picture information despatched through WhatsApp.
The LANDFALL marketing campaign exploited CVE-2025-21042, a zero-day vulnerability in Samsung’s Android picture processing library that remained unpatched till April 2025.
Attackers embedded the spyware and adware inside malformed DNG (Digital Damaging) picture information, which had been delivered to targets by way of WhatsApp messages.
The exploitation technique intently resembles an analogous assault chain found focusing on Apple iOS gadgets in August 2025, highlighting a broader sample of DNG picture processing vulnerabilities being weaponized throughout cell platforms.
Unit 42’s discovery got here throughout their investigation of iOS exploit chains once they recognized a number of suspicious DNG information uploaded to VirusTotal all through 2024 and early 2025.
The filenames, corresponding to “WhatsApp Picture 2025-02-10 at 4.54.17 PM.jpeg” and “IMG-20240723-WA0000.jpg,” strongly counsel the malware was distributed by way of WhatsApp’s messaging platform. Importantly, researchers discovered no vulnerabilities in WhatsApp itself the applying was merely used as a supply mechanism.
Samsung 0-Day Vulnerability
LANDFALL is particularly designed to focus on Samsung Galaxy gadgets, together with the S22, S23, and S24 collection, in addition to Z Fold4 and Z Flip4 fashions.
The b.so element of LANDFALL communicates with its C2 server over HTTPS utilizing a non-standard, ephemeral TCP port.
The spyware and adware permits intensive surveillance capabilities, together with microphone recording, location monitoring, name log assortment, and extraction of photographs, contacts, and SMS messages. Its modular structure suggests it may obtain further elements to broaden its performance.
The malware’s loader element, internally known as “Bridge Head,” comprises subtle evasion strategies to keep away from detection by safety instruments and debugging frameworks.
Evaluation revealed the spyware and adware may manipulate Android’s SELinux safety insurance policies to keep up elevated permissions and set up persistence on contaminated gadgets.
Proof signifies LANDFALL was deployed in focused intrusion actions throughout the Center East, with potential victims recognized in Iraq, Iran, Turkey, and Morocco.
The marketing campaign’s infrastructure and tradecraft patterns share similarities with industrial spyware and adware operations related to personal sector offensive actors (PSOAs) entities that develop and promote surveillance instruments to authorities shoppers.
Researchers famous potential connections to the Stealth Falcon risk group and doable hyperlinks to the Variston spyware and adware framework, which reportedly operated out of Barcelona earlier than ceasing operations in early 2025.
The b.so file’s configuration is managed by way of a mixture of hard-coded default values and an encrypted JSON object embedded inside itself.
The “Bridge Head” naming conference utilized by LANDFALL matches terminology employed by a number of identified industrial spyware and adware distributors, together with NSO Group and Variston.
Timeline and Present Standing
Unit 42 tracks this exercise as CL-UNK-1054 and continues investigating the marketing campaign’s scope and attribution. Palo Alto Networks clients obtain safety by way of Superior WildFire, Superior URL Filtering, Superior DNS Safety, and Superior Menace Prevention merchandise, which have been up to date to detect LANDFALL-related indicators.
The earliest LANDFALL samples appeared in July 2024, months earlier than Samsung addressed the vulnerability in April 2025.
In September 2025, Samsung patched a further associated vulnerability, CVE-2025-21043, additional defending customers from comparable assault vectors. Samsung customers who’ve utilized safety updates since April 2025 are now not in danger from this particular exploit.
Indicators of Compromise
| SHA256 Hash | Filename | Dimension |
|---|---|---|
| b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756 | img-20250120-wa0005.jpg | 6.66 MB |
| c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e | 2.tiff | 6.58 MB |
| 9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93 | whatsapp picture 2025-02-10 at 4.54.17 pm.jpeg | 6.66 MB |
| d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0 | b.so | 103.31 KB |
| 384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd | (unknown) | 103.31 KB |
| b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d | 1.jpeg | 5.66 MB |
| a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495 | (unknown) | 103.31 KB |
| 29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483 | img-20240723-wa0001.jpg | 6.58 MB |
| 2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a | 6357fc.zip | 380.71 KB |
| b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18 | img-20240723-wa0000.jpg | 5.65 MB |
| 69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee | localfile~ | 1.42 MB |
| 211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261 | l | 332.88 KB |
| ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2 | (unknown) | 103.31 KB |
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most popular Supply in Google.
