A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East.
The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary code, according to Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025.
"This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks," Unit 42 said. Potential targets of the activity, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco based on VirusTotal submission data.
The development comes as Samsung disclosed in September 2025 that another flaw in the same library (CVE-2025-21043, CVSS score: 8.8) had also been exploited in the wild as a zero-day. There is no evidence of this security flaw being weaponized in the LANDFALL campaign. Samsung did not immediately respond to a request for comment.
It's assessed that the attacks involved sending via WhatsApp malicious images in the form of DNG (Digital Negative) files, with evidence of LANDFALL samples going all the way back to July 23, 2024. This is based on DNG artifacts bearing names like "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg" and "IMG-20240723-WA0000.jpg."
Itay Cohen, senior principal researcher at Palo Alto Networks Unit 42, told The Hacker News that they have not observed any significant functional changes between the samples from July 2024 and February 2025, when the most recent LANDFALL artifact was uploaded to VirusTotal.
LANDFALL, once installed and executed, acts as a comprehensive spy tool, capable of harvesting sensitive data, including microphone recording, location, photos, contacts, SMS, files, and call logs.
While Unit 42 said the exploit chain may have involved the use of a zero-click approach to trigger the exploitation of CVE-2025-21042 without requiring any user interaction, there are currently no indications that it has happened or there exists an unknown security issue in WhatsApp to support this hypothesis.
The Android spyware is specifically designed to target Samsung's Galaxy S22, S23, and S24 series devices, as well as Z Fold 4 and Z Flip 4, covering some of the flagship devices from the South Korean electronics chaebol, with the exception of the latest generation.
 |
| Flowchart for LANDFALL spyware |
It's worth noting that around the same time WhatsApp disclosed that a flaw in its messaging app for iOS and macOS (CVE-2025-55177, CVSS score: 5.4) was chained along with CVE-2025-43300 (CVSS score: 8.8), a flaw in Apple iOS, iPadOS, and macOS, to potentially target less than 200 users as part of a sophisticated campaign. Apple and WhatsApp have since patched the flaws.
 |
| Timeline for recent malicious DNG image files and associated exploit activity |
Unit 42's analysis of the discovered DNG files show that they come with an embedded ZIP file appended to the end of the file, with the exploit being used to extract a shared object library from the archive to run the spyware. Also present in the archive is another shared object that's designed to manipulate the device's SELinux policy to grant LANDFALL elevated permissions and facilitate persistence.
The shared object that loads LANDFALL also communicates with a command-and-control (C2) server over HTTPS to enter into a beaconing loop and receive unspecified next-stage payloads for subsequent execution.
"At this point, we can't share details about the next-stage payloads delivered from the C2 server," Cohen said. "What we can say is that LANDFALL is a modular spyware framework -- the loader we analyzed is clearly designed to fetch and execute additional components from the C2 infrastructure. Those later stages likely extend its surveillance and persistence capabilities, but they weren’t recovered in the samples available to us."
It's currently not known who is behind the spyware or the campaign. That said, Unit 42 said LANDFALL's C2 infrastructure and domain registration patterns dovetail with that of Stealth Falcon (aka FruityArmor), although, as of October 2025, no direct overlaps between the two clusters have been detected.
The findings suggest that the delivering LANDFALL is likely part of a broader DNG exploitation wave that also hit iPhone devices via the aforementioned exploit chains. They also highlight how sophisticated exploits can remain accessible in public repositories for extended periods of time, flying under the radar until they can be fully analyzed.
"We don't believe this specific exploit is still being used, since Samsung patched it in April 2025," Cohen said. "However, related exploit chains affecting Samsung and iOS devices were observed as recently as August and September, indicating that similar campaigns remained active until very recently. Some infrastructure that might be related to LANDFALL also remains online, which could suggest ongoing or follow-on activity by the same operators."
(The story was updated after publication to clarify details surrounding the use of WhatsApp as a distribution vector for the malware and additional insights from Unit 42.)
