Executive Summary

Researchers from Palo Alto Networks' Unit 42 have detailed an attack campaign that used a zero-day vulnerability in Samsung Galaxy devices to deploy a sophisticated Android spyware named LANDFALL. The vulnerability, tracked as CVE-2025-21042 (CVSS 8.8), was an out-of-bounds write issue in a core image processing library. Attackers exploited this flaw by sending specially crafted Digital Negative (DNG) image files to victims, likely via WhatsApp. Upon processing the malicious image, the vulnerability would trigger, allowing the attackers to execute arbitrary code and install the LANDFALL spyware. The campaign, tracked as CL-UNK-1054, targeted individuals in Iraq, Iran, Turkey, and Morocco. Samsung patched the vulnerability in April 2025 after being notified of the in-the-wild exploitation. The incident is part of a disturbing trend of threat actors targeting image parsing libraries on mobile devices as a vector for compromise.

Vulnerability Details

• CVE-2025-21042: A critical out-of-bounds write vulnerability in the libimagecodec.quram.so library on certain Samsung Android devices. This library is responsible for processing various image formats, including DNG.
• Attack Vector: The vulnerability is triggered when a user receives and views a malicious DNG image file. The attack is considered a zero-click or one-click exploit, depending on the messaging application's handling of image previews.
• Impact: Successful exploitation allows a remote attacker to execute arbitrary code with the privileges of the image parsing process. This code execution was used as a foothold to install the LANDFALL spyware payload.
• Patch Status: Samsung addressed this vulnerability in its April 2025 security update.

A related vulnerability, CVE-2025-21043, was also disclosed as an exploited zero-day in the same library, though it has not been linked to the LANDFALL campaign.

Threat Overview

The attack campaign demonstrates a high level of sophistication, leveraging a previously unknown vulnerability in a ubiquitous device to deploy commercial-grade spyware. The use of a DNG image file sent via WhatsApp as the delivery mechanism is particularly stealthy. The malicious DNG file contained an embedded ZIP archive. The exploit chain leveraged the parsing flaw to extract and execute a shared object library from this archive, which acted as the installer for the LANDFALL spyware.

Unit 42's analysis of artifacts uploaded to VirusTotal, with filenames like WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg, suggests the campaign was active as early as July 2024. The geographical focus on the Middle East (Iraq, Iran, Turkey, Morocco) points towards a targeted espionage operation rather than a widespread attack.

This attack methodology is consistent with other high-profile mobile exploits, such as the BLASTPASS campaign that targeted Apple's Image I/O framework. It proves that image processing libraries remain a fragile and high-value attack surface for mobile threat actors.

Technical Analysis

MITRE ATT&CK TTPs (Mobile)

• Initial Access: T1459 - Content Injection: Attackers send a malicious DNG file via a messaging app like WhatsApp.
• Execution: T1452 - Exploitation for Client Execution: The vulnerability in the libimagecodec.quram.so library is triggered, leading to code execution.
• Persistence: T1402 - Install Insecure or Malicious Configuration: LANDFALL spyware is installed on the device to maintain access.
• Privilege Escalation: The initial exploit may be chained with another vulnerability to gain higher privileges on the device.
• Collection: T1428 - Sensor Data, T1427 - Location Tracking: As a spyware, LANDFALL is expected to collect a wide range of data from the compromised device.

Impact Assessment

The primary impact is a total loss of confidentiality for the targeted individuals. Commercial-grade spyware like LANDFALL is designed to be a comprehensive surveillance tool, capable of accessing messages, emails, photos, location data, and activating the microphone and camera. For the targets—potentially journalists, activists, or political dissidents in the Middle East—such a compromise could have severe real-world consequences. For Samsung, the incident damages brand trust and highlights the ongoing challenge of securing complex software components in their devices.

Detection & Response

• Patching: The primary defense is to ensure all Samsung devices are updated with the April 2025 security patch or a later version. Mobile Device Management (MDM) solutions can be used to enforce patch compliance in enterprise environments.
• Network Monitoring: Monitor for unusual outbound traffic from mobile devices to unknown C2 servers. This can be challenging with mobile devices frequently changing networks, but may be possible on corporate Wi-Fi.
• App Scrutiny: Advise users to be cautious of unsolicited files, even from known contacts, and to regularly review installed applications for anything suspicious.

Mitigation and Recommendations

1. Apply Updates Immediately: All users of Samsung Galaxy devices must ensure their devices are running the latest available software version. Check for updates via Settings > Software update. D3FEND Technique: D3-SU: Software Update.
2. Limit Media Auto-Downloads: In messaging apps like WhatsApp, disable the automatic downloading of media files (Settings > Storage and data > Media auto-download). This forces the user to manually download an image, providing a small window for decision-making and potentially preventing zero-click exploitation. D3FEND Technique: D3-ACH: Application Configuration Hardening.
3. Use Endpoint Protection for Mobile: For enterprise users, consider deploying a Mobile Threat Defense (MTD) solution that can detect malicious processes, network connections, and system integrity violations on Android devices.
4. Reboot Regularly: Regularly rebooting a device can sometimes disrupt non-persistent or less sophisticated spyware implants, forcing the attacker to re-exploit the device.