A patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day in a targeted attack in the Middle East to deliver “commercial-grade” Android spyware called LANDFALL.
According to Palo Alto Networks Unit 42, this activity involves exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the ‘libimagecodec.quram.so’ component, which may allow remote attackers to execute arbitrary code. This issue was resolved by Samsung in April 2025.
“This vulnerability was actively exploited in the wild before being patched by Samsung in April 2025 following reports of real-world attacks,” Unit 42 said. Based on VirusTotal submission data, potential targets for this operation, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco.
This development comes after Samsung revealed in September 2025 that another flaw in the same library (CVE-2025-21043, CVSS score: 8.8) was also exploited as a zero-day. There is no evidence that this security flaw was weaponized in the LANDFALL campaign.
The attack is assessed to have involved sending malicious images in the form of DNG (digital negative) files via WhatsApp, with evidence in the LANDFALL sample dating back to July 23, 2024. This is based on a DNG artifact with a name such as “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg”. “IMG-20240723-WA0000.jpg”
Once installed and running, LANDFALL acts as a comprehensive spying tool that can collect sensitive data such as microphone recordings, location information, photos, contacts, SMS, files, and call logs. This exploit chain likely involved the use of a zero-click approach to trigger the CVE-2025-21042 exploit without requiring user interaction.
LANDFALL spyware flowchart
Notably, around the same time, WhatsApp announced that a flaw in its messaging app for iOS and macOS (CVE-2025-55177, CVSS score: 5.4) was linked to a flaw in Apple iOS, iPadOS, and macOS, CVE-2025-43300 (CVSS score: 8.8), as part of a sophisticated campaign. It has been revealed that it may target users of less than a person. Apple and WhatsApp have since patched the flaw.
A timeline of recent malicious DNG image files and associated exploit activity.
Unit 42’s analysis of the discovered DNG files revealed an embedded ZIP file appended to the end of the file, which was used by the exploit to extract shared object libraries from the archive and run spyware. The archive also has another shared object designed to manipulate the device’s SELinux policy to grant elevated permissions to LANDFALL and facilitate persistence.
The shared object that loads LANDFALL communicates with the command and control (C2) server over HTTPS, enters a beacon loop, and receives an unspecified next-stage payload for subsequent execution.
It is currently unknown who is behind the spyware or campaign. That said, Unit 42 said that while LANDFALL’s C2 infrastructure and domain registration patterns match those of Stealth Falcon (also known as FruityArmor), no direct overlap between the two clusters has been detected as of October 2025.
“Since samples first appeared in July 2024, this activity highlights how advanced exploits can remain in public repositories for long periods of time until they are fully understood,” Unit 42 said.
Source link
