A sophisticated spyware operation targeting Samsung Galaxy devices, dubbed LANDFALL, which exploited a zero-day vulnerability to infiltrate phones through seemingly innocuous images shared on WhatsApp.
This campaign, active since mid-2024, allowed attackers to deploy commercial-grade Android malware capable of full device surveillance without user interaction.
The discovery underscores ongoing threats from state-linked surveillance tools in the Middle East, where such intrusions have become alarmingly common.
Unit 42’s investigation began in mid-2025 while probing iOS exploit samples, leading to the unearthing of Android-specific malware embedded in Digital Negative (DNG) image files.
These files, often disguised with WhatsApp-style names like “IMG-20240723-WA0000.jpg,” were uploaded to VirusTotal from locations including Morocco, Iran, Iraq, and Turkey between July 2024 and early 2025.
Researchers determined that LANDFALL leveraged CVE-2025-21042, a critical flaw in Samsung’s image processing library libimagecodec.quram.so, patched in April 2025 after in-the-wild exploitation reports surfaced.
Unlike similar iOS attacks disclosed in August and September 2025, this Android chain predated those events and showed no flaws in WhatsApp itself.
The operation’s precision suggests targeted espionage rather than broad distribution, with infrastructure overlaps to vendors like Stealth Falcon, known for hitting Emirati activists since 2012.
Samsung 0-Day Exploited Via WhatsApp
The attack chain relied on malformed DNG files containing an appended ZIP archive, tricking the vulnerable library into extracting and executing shared object (.so) libraries that installed the spyware.
Upon infection, LANDFALL granted attackers access to microphones for recording, precise GPS tracking, and harvesting of photos, contacts, call logs, and messages.
It specifically targeted Galaxy models like the S22, S23, S24, and Z series running Android 13 to 15, enabling zero-click deployment via messaging apps.
This mirrors patterns in recent iOS exploits but highlights a recurring weakness in mobile image processors across platforms.
Samsung’s September 2025 patch for CVE-2025-21043 addressed a related zero-day in the same library, bolstering defenses against future image-based attacks.
Despite the patches, the campaign evaded detection for nearly a year, emphasizing the stealth of private-sector offensive actors (PSOAs) in regional surveillance.
For current Samsung users, the risk is mitigated since both vulnerabilities are patched, but the revelation exposes how commercial spyware vendors supply tools to governments for unchecked spying.
Unit 42 noted no attribution to specific actors, but the Middle East focus aligns with prior PSOAs operations. Experts urge vigilance on image previews in apps like WhatsApp and recommend timely updates to avert similar threats.
This case joins a wave of mobile exploits, from Pegasus to recent iOS chains, signaling an arms race where zero-days remain a prime weapon.
As spyware evolves, collaboration between vendors like Samsung and researchers is crucial to outpace attackers.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
