Zero-Click Samsung Zero-Day (CVE-2025-21042) Delivered LANDFALL Spyware Via Malicious DNG Images
Ddos 
Researchers from Unit 42, the threat intelligence team at Palo Alto Networks, have discovered a previously unknown Android spyware family dubbed LANDFALL, which leveraged a zero-day vulnerability (CVE-2025-21042) in Samsung’s image processing library to compromise Galaxy devices.
The campaign—active since mid-2024—appears to have targeted users in the Middle East, with the spyware embedded inside malicious DNG image files sent through WhatsApp, enabling zero-click infection and full device surveillance.
LANDFALL’s infection vector relied on malformed DNG (Digital Negative) image files—a raw image format derived from TIFF. Attackers embedded a ZIP archive containing the spyware payload inside the image file, exploiting a flaw in libimagecodec.quram.so, a Samsung library responsible for image decoding.
“The malformed DNG image files we discovered have an embedded ZIP archive appended to the end of the file… Our analysis indicates these DNG files exploit CVE-2025-21042, a vulnerability in Samsung’s image-processing library libimagecodec.quram.so that Samsung patched in April 2025.”
Once opened—or even previewed under certain conditions—the exploit triggered silently, extracting shared object (.so) binaries from the image’s ZIP payload and executing them on the device. The attack required no user interaction, suggesting a zero-click infection mechanism, similar to those used by commercial spyware platforms like Pegasus and Predator.
“The exploit extracts shared object library (.so) files from the embedded ZIP archive to run LANDFALL spyware.”
LANDFALL is described as “commercial-grade” spyware engineered specifically for Samsung Galaxy models including the S22, S23, S24, Z Fold4, and Z Flip4. Once installed, it granted attackers extensive control and visibility into the device.
“LANDFALL enabled comprehensive surveillance, including microphone recording, location tracking and collection of photos, contacts and call logs.”
The spyware’s core module, b.so, functions as a backdoor loader, while a secondary component, l.so, manipulates SELinux policies to elevate privileges and ensure persistence. These two components were extracted directly from the malicious image files, revealing a sophisticated infection framework that rivals known state-linked spyware vendors.
LANDFALL’s capabilities include:
- Recording calls and ambient audio.
- Stealing contacts, SMS, app data, and photos.
- Tracking location and monitoring installed applications.
- Detecting debugging frameworks such as Frida and Xposed to avoid analysis.
- Manipulating file systems and app directories, particularly targeting WhatsApp’s media folder for persistence.
The spyware communicates with its command-and-control (C2) servers using HTTPS over nonstandard ephemeral ports, sending encrypted JSON payloads containing device identifiers, configuration keys, and agent status.
“The b.so component of LANDFALL communicates with its C2 server over HTTPS using a non-standard, ephemeral TCP port… initiating contact with a POST request containing detailed device and spyware information.”
Unit 42 identified six active C2 domains—including brightvideodesigns[.]com and healthyeatingontherun[.]com—most of which resolved to IP addresses geolocated in Europe and the Middle East.
Evidence from VirusTotal submissions shows the infected DNG samples originated from users in Iraq, Iran, Turkey, and Morocco, suggesting a regional espionage operation. Turkey’s national CERT (USOM) later flagged IP addresses associated with LANDFALL’s C2 infrastructure as APT-related and mobile-focused.
While definitive attribution remains unconfirmed, Unit 42’s report highlights significant overlap with commercial spyware vendors. The term “Bridge Head”—found within LANDFALL’s debug strings—is a common codename used by private-sector offensive actors (PSOAs) such as NSO Group, Variston, Cytrox, and Quadream.
Additionally, LANDFALL’s infrastructure and tradecraft share similarities with Stealth Falcon, a group previously linked to the United Arab Emirates (UAE) and known for deploying advanced surveillance tools in the Middle East.
Donate