Samsung Zero-Day Flaw Exploited to Deploy LANDFALL Android Spyware in Middle East

Samsung Zero-Day Flaw Exploited to Deploy LANDFALL Android Spyware in Middle East

A critical security flaw in Samsung Galaxy devices, identified as CVE-2025-21042 (CVSS score: 8.8), was exploited as a zero-day vulnerability to deploy LANDFALL, a commercial-grade Android spyware. The exploit targeted users in Iraq, Iran, Turkey, and Morocco, leveraging malicious DNG (Digital Negative) images sent via WhatsApp. Samsung patched the flaw in April 2025, but the attacks were active as early as July 2024.

Vulnerability Details

• CVE-2025-21042: An out-of-bounds write flaw in the libimagecodec.quram.so component, allowing remote code execution.
  • CVSS Score: 8.8 (high severity).
  • Patch Date: April 2025.
• Related Flaw: CVE-2025-21043 (CVSS 8.8) in the same library was also exploited but not linked to LANDFALL.
• Impact: Attackers could execute arbitrary code without user interaction, potentially enabling full device compromise.

Exploit Mechanism and Technical Details

• Delivery Vector: Malicious DNG image files sent via WhatsApp, disguised as normal image attachments.
  • Example filenames: "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg" and "IMG-20240723-WA0000.jpg".
• Exploit Chain:
  • DNG files contained embedded ZIP archives with:
    • A shared object library to execute the spyware.
    • A second shared object to manipulate SELinux policies for elevated permissions.
  • Spyware communicated with a C2 server over HTTPS for beaconing and payload delivery.

Spyware Capabilities (LANDFALL)

• Data Harvesting: Captured microphone audio, location data, photos, contacts, SMS, files, and call logs.
• Persistence: Used SELinux policy manipulation to maintain access and execute additional payloads from the C2 server.
• Modular Design: The loader fetched and executed next-stage payloads, though specifics remain undisclosed.

Timeline and Campaign Activity

• First Observed Samples: July 23, 2024.
• Latest Activity: February 2025 (most recent DNG file uploaded to VirusTotal).
• Patch Status: Vulnerability patched by Samsung in April 2025, but related exploit chains were active until August–September 2025.

Campaign Context and Attribution

• Target Devices: Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 (excluding the latest generation).
• Attribution: No confirmed group, but C2 infrastructure overlaps with Stealth Falcon (FruityArmor), though no direct linkage was found.
• Broader Campaigns: Similar DNG-based exploits targeted iOS devices via CVE-2025-55177 (CVSS 5.4) and CVE-2025-43300 (CVSS 8.8), though these were patched by Apple and WhatsApp.

Key Takeaways

• Zero-Click Exploitation: Attackers could trigger the exploit without user interaction, though no confirmed WhatsApp-specific vulnerabilities were involved.
• Persistence and Modularity: LANDFALL’s ability to fetch additional payloads highlights its sophistication and adaptability.
• Ongoing Threats: While the specific exploit was patched, related campaigns targeting Samsung and iOS devices remained active until late 2025.

---

Recommendations for Users and Organizations

• Update Devices: Ensure Samsung Galaxy devices are updated to April 2025 security patches.
• Monitor for Suspicious Files: Be cautious of unexpected DNG or ZIP attachments, especially from untrusted sources.
• Enable Security Features: Use SELinux policies and other device security mechanisms to limit unauthorized access.
• Network Monitoring: Detect unusual HTTPS traffic to unknown C2 servers, which may indicate spyware activity.

---

Reference: Samsung Zero-Day Flaw Exploited to Deploy LANDFALL Android Spyware