Full Report
A threat actor exploited a zero-day vulnerability in Samsung's Android image processing library to deploy a previously unknown spyware called 'LandFall' using malicious images sent over WhatsApp. [...]
Analysis Summary
# Incident Report: LandFall Spyware Exploitation via Samsung Zero-Day
## Executive Summary
A sophisticated threat actor exploited an unpatched zero-day vulnerability (CVE-2025-21042) in Samsung's Android image processing library via malicious images sent over WhatsApp to deploy the 'LandFall' spyware. The campaign targeted select Samsung Galaxy users, primarily in the Middle East, allowing for comprehensive device takeover, including recording, tracking, and file access. Samsung patched the vulnerability in April 2025, but active exploitation was confirmed to be ongoing since at least July 2024.
## Incident Details
- Discovery Date: November 7, 2025 (Date of public reporting based on Unit 42 analysis)
- Incident Date: Active since at least July 23, 2024 (Date of first observed sample submission to VirusTotal)
- Affected Organization: Undisclosed targets (Select Samsung Galaxy users)
- Sector: Mobile Device Users (Consumer/End-User)
- Geography: Middle East (Potential targets identified in Iraq, Iran, Turkey, and Morocco)
## Timeline of Events
### Initial Access
- Date/Time: On or before July 23, 2024
- Vector: Malicious image file delivery via WhatsApp.
- Details: Attackers sent specially crafted, malformed `.DNG` raw image format files, appended with a `.ZIP` archive, through WhatsApp to target devices. This exploited CVE-2025-21042, an out-of-bounds write in `libimagecodec.quram.so`.
### Lateral Movement
- Details: Not explicitly detailed, though the installation of the SELinux policy manipulator (`l.so`) suggests post-exploitation steps aimed at elevating privileges and establishing persistence, which facilitates control over the device environment.
### Data Exfiltration/Impact
- Details: Successful execution of spying features, including microphone recording, call recording, location tracking, and access to photos, contacts, SMS, call logs, and files/browsing history.
### Detection & Response
- Date/Time: Samsung patched the vulnerability in April 2025.
- Details: Researchers at Palo Alto Networks’ Unit 42 identified and analyzed samples submitted to VirusTotal starting July 2024, leading to the public disclosure and analysis of the campaign.
## Attack Methodology
- Initial Access: Exploitation of CVE-2025-21042 (Out-of-bounds write in Samsung's image processing library) via specially formatted `.DNG` image files delivered via WhatsApp.
- Persistence: Achieved via the installation of module `l.so` (SELinux policy manipulator), which modifies security settings to maintain access.
- Privilege Escalation: Achieved through the SELinux policy manipulator.
- Defense Evasion: Capabilities observed include specific evasion techniques and bypassing protections as part of the spyware's functionality.
- Credential Access: Not explicitly detailed, but likely covered under general data collection/access capabilities.
- Discovery: Device fingerprinting based on hardware and SIM IDs (IMEI, IMSI, SIM card number), user account details, Bluetooth status, location services, and installed application lists.
- Lateral Movement: Not explicitly detailed beyond execution of modules, suggesting focus on deep persistence on the initial compromised device.
- Collection: Microphone recording, call recording, location data, contacts, SMS, call logs, photos, and browsing history.
- Exfiltration: Not detailed outside of general collection.
- Impact: Comprehensive device surveillance and data theft.
## Impact Assessment
- Financial: Not available.
- Data Breach: Highly sensitive personal data including communication records, location history, contacts, and private files compromised on targeted Samsung devices.
- Operational: Compromise limited to targeted end-user devices; no broader enterprise network impact reported.
- Reputational: Potential damage to Samsung's security perception due to the zero-day being actively exploited prior to the patch.
## Indicators of Compromise
- Network Indicators (Defanged C2s): Correlated C2 servers exhibiting infrastructure patterns similar to known APTs (e.g., Stealth Falcon).
- File Indicators: Loader module (`b.so`), SELinux policy manipulator (`l.so`), and malformed `.DNG` files appended with `.ZIP` archives.
- Behavioral Indicators: Modification of SELinux policies; execution of extensive surveillance modules; device fingerprinting using IMEI/IMSI data.
## Response Actions
- Containment Measures: N/A applied by the victims in real-time; Unit 42 publicly disclosed findings to prompt action.
- Eradication Steps: Users advised to immediately apply security updates released by Samsung in April 2025 (patching CVE-2025-21042). Some C2 servers were flagged by CERT organizations.
- Recovery Actions: Users should scan devices and consider factory resets if compromise is suspected, and immediately update the OS.
## Lessons Learned
- **Supply Chain Risk in OS Components:** A zero-day in a core library like the Android image processing library presents a significant attack surface even through seemingly benign communications (like image sharing).
- **Targeted Exploitation via Messengers:** WhatsApp remains a critical vector for sophisticated, targeted attacks, especially when image processing is involved.
- **Attribution Challenge:** Even with infrastructure clues (e.g., C2 patterns resembling Stealth Falcon or module naming conventions from known vendors like NSO Group), definitive attribution for commercial spyware remains difficult.
## Recommendations
- **Prompt Patching:** Immediately apply all security updates for mobile operating systems and applications, noting that Samsung patched this specific flaw in April 2025.
- **Media Handling Controls:** Users should disable automatic media downloading in messaging applications (like WhatsApp) to prevent silent execution upon receipt.
- **Enhanced Device Protections:** Users should enable advanced security features on Android (e.g., 'Advanced Protection' programs) or equivalent high-security modes on other mobile OSes to mitigate post-exploitation activities.