LandFall Spyware: Exploiting a Samsung Zero-Day via WhatsApp

LandFall Spyware: Exploiting a Samsung Zero-Day via WhatsApp

Alex Cipher's Profile Pictire Alex Cipher 5 min read

A single WhatsApp message carrying a cleverly disguised image file was all it took for the LandFall spyware to compromise some of Samsung’s most popular smartphones. By exploiting a zero-day vulnerability—CVE-2025-21042—in Samsung’s image processing library, attackers managed to remotely execute code and install a sophisticated surveillance toolkit. The attack chain is as innovative as it is alarming: a malformed .DNG image, appended with a ZIP archive, triggers a loader that downloads further malicious modules. This campaign, uncovered by researchers at Unit 42, highlights the growing risks posed by advanced spyware, especially as attackers increasingly target flagship devices like the Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4. The LandFall case is a stark reminder that even the most secure-seeming devices can be vulnerable, especially when attackers leverage zero-day exploits and social engineering via trusted apps like WhatsApp (Unit 42, 2025).

Technical Analysis of LandFall Spyware

Exploitation Mechanism

The LandFall spyware exploits a zero-day vulnerability identified as CVE-2025-21042, which is an out-of-bounds write in Samsung’s Android image processing library, specifically in libimagecodec.quram.so. This vulnerability allows a remote attacker to execute arbitrary code on a target device. The exploitation begins with the delivery of a malformed .DNG raw image format file, which has a .ZIP archive appended towards the end. This file is sent via WhatsApp messages to the victim’s device. Upon receiving the file, the loader component (b.so) embedded within the DNG is activated. This component is responsible for retrieving and loading additional malicious modules onto the device.

Components and Functionality

The LandFall spyware comprises several components that work together to achieve its malicious objectives. The primary components include:

  1. Loader (b.so): This component is responsible for downloading and executing additional modules. It acts as the initial stage of the infection process, ensuring that the spyware can load further payloads as needed.

  2. SELinux Policy Manipulator (l.so): This module modifies the security settings on the device to elevate permissions and establish persistence. By altering the SELinux policies, the spyware can bypass security mechanisms and maintain a foothold on the device.

  3. Command-and-Control (C2) Communication: LandFall establishes communication with its C2 servers to receive commands and exfiltrate data. Researchers at Unit 42 identified six C2 servers associated with the campaign, some of which have been flagged for malicious activity by Turkey’s CERT.

Targeted Devices and Capabilities

The spyware primarily targets Samsung Galaxy devices, specifically the S22, S23, and S24 series, as well as the Z Fold 4 and Z Flip 4 models. These devices are part of Samsung’s flagship lineup, making them attractive targets for attackers seeking high-value information.

LandFall’s capabilities are extensive and include:

  • Fingerprinting Devices: The spyware can collect hardware and SIM IDs, such as IMEI and IMSI, as well as user account details, Bluetooth information, and location services data.

  • Data Exfiltration: It can access and exfiltrate sensitive data, including photos, contacts, SMS, call logs, and browsing history.

  • Audio and Location Monitoring: The spyware is capable of recording microphone and call audio, as well as tracking the device’s location.

  • Persistence and Evasion: LandFall employs techniques to achieve persistence on the device and evade detection by security software.

Attribution and Similarities

Attribution of the LandFall spyware remains unclear. While the use of the “Bridge Head” name for the loader component suggests potential links to known spyware vendors like NSO Group, Variston, Cytrox, and Quadream, researchers have not been able to confidently link LandFall to any specific threat group or vendor. The Unit 42 analysis indicates that the C2 domain registration and infrastructure patterns share similarities with the Stealth Falcon operations, which are believed to originate from the United Arab Emirates. However, definitive attribution remains elusive.

Mitigation Strategies

To protect against the LandFall spyware and similar threats, users are advised to:

  • Apply Security Updates: Regularly update the mobile operating system and applications to patch known vulnerabilities.

  • Disable Automatic Media Downloading: Disable automatic downloading of media files in messaging apps like WhatsApp to prevent the automatic execution of malicious files.

  • Enable Advanced Protection Features: Utilize features such as ‘Advanced Protection’ on Android and ‘Lockdown Mode’ on iOS to enhance device security.

  • Monitor for Unusual Activity: Be vigilant for signs of unusual device behavior, such as unexpected battery drain or data usage, which may indicate the presence of spyware.

By implementing these strategies, users can reduce the risk of falling victim to spyware attacks and protect their sensitive information from unauthorized access.

Final Thoughts

LandFall’s exploitation of a Samsung zero-day through a simple WhatsApp message demonstrates just how creative—and dangerous—modern spyware campaigns have become. The attack’s modular design, ability to bypass security controls, and focus on high-value devices underscore the need for constant vigilance. While attribution remains murky, the infrastructure and tactics echo those of notorious surveillance vendors and state-sponsored actors. For users and organizations alike, the best defense remains a combination of timely updates, cautious digital habits, and leveraging advanced security features. As mobile threats evolve, so too must our strategies for staying one step ahead (Unit 42, 2025).

References