Full Report
Cybersecurity researchers at Unit 42 have uncovered a sophisticated Android spyware campaign that exploited a previously unknown zero-day vulnerability in Samsung Galaxy devices. The malware, dubbed LANDFALL, leveraged a critical vulnerability in Samsung’s image processing library to deliver commercial-grade surveillance capabilities through maliciously crafted image files sent via WhatsApp. The LANDFALL campaign exploited CVE-2025-21042, a […] The post New “LANDFALL” Android Malware Uses Samsung 0-Day Vulnerability Hidden in WhatsApp Images appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: LANDFALL Android Spyware Zero-Day in Samsung Image Processing Library
## CVE Details
- CVE ID: CVE-2025-21042
- CVSS Score: Critical (Specific score not provided, but described as leveraging a "critical vulnerability" and being exploited as a zero-day.)
- CWE: Insufficient input validation/parsing in image processing library (Implied)
## Affected Systems
- Products: Samsung Galaxy devices (specifically mentioning S22, S23, S24 series, and Z Fold4/Z Flip4 models).
- Versions: Versions prior to the April 2025 patch release.
- Configurations: Android devices using the vulnerable Samsung image processing library component (`b.so`). Exploitation vector is through image files received via WhatsApp.
## Vulnerability Description
This is a zero-day vulnerability within Samsung’s Android image processing library. Threat actors leveraged this flaw by embedding malicious spyware (LANDFALL) within malformed DNG (Digital Negative) image files. When processed by the vulnerable system component, this file triggered the execution of the surveillance payload, allowing commercial-grade spyware to be installed. The malware utilizes sophisticated evasion techniques and manipulates SELinux policies for persistence.
## Exploitation
- Status: Exploited in the wild (Campaign active in 2024 and early 2025, addressed in April 2025).
- Complexity: Medium (Requires crafting a specific DNG file and delivery via a communication channel like WhatsApp).
- Attack Vector: Network/Adjacent (Delivery via a message attachment).
## Impact
- Confidentiality: High (Enables extensive surveillance: microphone recording, location tracking, call logs, photos, contacts, and SMS extraction).
- Integrity: High (Ability to manipulate SELinux policies and download additional components).
- Availability: Medium (Potential full device compromise impacts usability).
## Remediation
### Patches
- Samsung released a patch addressing CVE-2025-21042 in April 2025. Users should ensure their Samsung Galaxy devices are updated to the latest available security patch levels released after April 2025.
### Workarounds
- Exercise caution when opening image files received from unknown or untrusted sources, especially if they arrive via messaging applications like WhatsApp.
- Due to the reliance on DNG file processing, users relying on less common image formats may face a reduced initial risk, though general file safety guidelines still apply.
## Detection
- **Indicators of Compromise:**
- Suspicious outbound network traffic on non-standard, ephemeral TCP ports.
- Unusual activity indicative of surveillance (e.g., frequent microphone/GPS activation when not expected).
- Presence of suspected components (e.g., the `b.so` component or the "Bridge Head" loader).
- **Detection Methods and Tools:**
- Mobile threat detection platforms capable of API monitoring and file parsing behavioral analysis.
- Analysis flagged files resembling “WhatsApp Image [date]” or “IMG-[date]-WA[number].jpg” containing embedded archives or executables.
## References
- Unit 42 Advisory: `https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/` (Defanged)