Executive Summary

A sophisticated commercial-grade Android spyware, dubbed LANDFALL, is being used in targeted attacks against Samsung Galaxy devices. The spyware leverages a critical zero-day vulnerability, tracked as CVE-2025-21042, in Samsung's image processing library. The attack vector is a zero-click exploit delivered via a malformed DNG image file through messaging applications like WhatsApp. Once compromised, the spyware provides attackers with extensive surveillance capabilities, including audio recording, location tracking, and data exfiltration. The campaign, discovered by Palo Alto Networks' Unit 42, shows hallmarks of a private sector offensive actor (PSOA) operation, with potential links to the Stealth Falcon threat group, and appears to be targeting individuals in the Middle East.

Threat Overview

The attack begins when a target receives a specially crafted DNG image file via a messaging app such as WhatsApp. Due to the CVE-2025-21042 vulnerability in Samsung's image processing library, no user interaction is required to trigger the exploit (a zero-click attack). The vulnerability allows for arbitrary code execution when the application processes the malicious image preview.

Upon successful exploitation, the LANDFALL spyware is installed on the device. It grants attackers pervasive access to the device's data and sensors. The spyware is designed for stealth and persistence, manipulating Android's SELinux security policies to gain and maintain elevated privileges. The campaign's infrastructure and TTPs suggest it is operated by a sophisticated PSOA selling spyware capabilities to government clients. The targeting appears focused on several Middle Eastern countries, including Iraq, Iran, Turkey, and Morocco.

Technical Analysis

The core of the attack is the exploitation of CVE-2025-21042, a memory corruption flaw in a Samsung image processing library. This is delivered as a zero-click exploit, likely abusing how messaging apps handle image files.

Attack Chain:

1. Initial Access (T1190 - Exploit Public-Facing Application): The attacker sends a malicious DNG image to the target's Samsung device via WhatsApp or another messaging app.
2. Execution: The app's attempt to parse the image triggers the vulnerability, leading to code execution in the context of the messaging app.
3. Privilege Escalation & Defense Evasion: The initial payload likely exploits another vulnerability (e.g., CVE-2025-21043) to escalate privileges. LANDFALL then manipulates SELinux policies to weaken device security and evade detection.
4. Persistence (T1547 - Boot or Logon Autostart Execution): The spyware establishes persistence to survive reboots, ensuring long-term access.
5. Collection & Exfiltration: LANDFALL performs extensive data collection, including:
   • Audio recording via the microphone (T1417 - Input Capture).
   • Location tracking.
   • Exfiltration of photos, contacts, and call logs.
   • Data is likely exfiltrated over an encrypted channel (T1573 - Encrypted Channel) to attacker-controlled C2 servers.

The investigation was sparked by a similar iOS exploit chain discovered in August 2025 that also used a DNG parsing flaw (CVE-2025-43300), suggesting a common origin or shared exploit developer.

Impact Assessment

The impact of a successful LANDFALL infection is severe, representing a complete loss of privacy and confidentiality for the victim. Attackers gain the ability to monitor conversations, track movements, and steal a vast trove of personal and professional data. Given the suspected use by government clients and targeting in the Middle East, likely victims include journalists, activists, political dissidents, and government officials. The breach of their communications could lead to physical harm, blackmail, or political persecution. For organizations, a compromised device belonging to a key employee could lead to the exposure of sensitive corporate strategies, intellectual property, or internal communications.

Cyber Observables for Detection

Detection & Response

Detecting zero-click exploits is extremely challenging for end-users. Organizations should rely on layered defenses.

• Mobile Threat Defense (MTD): Deploy MTD solutions on corporate devices. These tools can detect malicious processes, anomalous network traffic, and unauthorized privilege escalation attempts. Reference D3FEND technique D3-PA: Process Analysis.
• Network Monitoring: Analyze network logs for suspicious outbound connections from mobile devices. Egress filtering can block traffic to known malicious infrastructure. Reference D3FEND technique D3-NTA: Network Traffic Analysis.
• Forensic Analysis: If an infection is suspected, immediately isolate the device from all networks. Perform a full forensic analysis to identify the spyware, determine the extent of the data breach, and collect indicators of compromise (IOCs).

Mitigation

• Patch Management (M1051 - Update Software): The most critical mitigation is to apply security updates from Samsung as soon as they become available. This is a zero-day, so a patch is not yet available, but users should enable automatic updates. This aligns with D3FEND's D3-SU: Software Update.
• Application Isolation (M1048 - Application Isolation and Sandboxing): While Android's sandboxing is bypassed here, ensuring that messaging apps do not have unnecessary permissions can limit the potential impact of an exploit.
• User Training (M1017 - User Training): High-risk individuals should be trained to be cautious of unsolicited messages, even from known contacts, and understand the risks of mobile spyware.
• Device Restart: Regularly restarting the device can, in some cases, remove non-persistent or less sophisticated spyware. However, LANDFALL is described as persistent, making this less effective.