Security researchers have discovered an espionage campaign that exploited a zero-day vulnerability in Samsung Galaxy devices to install LANDFALL spyware. The attacks occurred mainly in Iraq, Iran, Türkiye and Morocco, using images in DNG format sent via WhatsApp. The flaw, identified as CVE-2025-21042, allowed remote code execution without user interaction, and was fixed by Samsung in April 2025.
The campaign, tracked as CL-UNK-1054, began in July 2024 and continued for months before the fix. Samples of the malware were sent to VirusTotal by users in these regions, indicating specific targets. The US Cybersecurity and Infrastructure Agency added the vulnerability to its catalog of exploited flaws in November 2025, requiring remediation across federal agencies by December.
Exploit mechanism in DNG images
The malicious files simulated common WhatsApp photos, with names like “IMG-20240723-WA0000.jpg”. These DNGs contained a ZIP embedded at the end, exploiting an out-of-bounds write to the libimagecodec.quram.so library.
The process started with automatic image processing, extracting shared libraries to execute the spyware. Another library manipulated the SELinux policy, elevating privileges and ensuring persistence on the system.
The zero-click approach eliminated the need for clicks, making the attack undetectable in most cases. Affected devices included Galaxy S22, S23, S24, Z Fold4, and Z Flip4 models running Android 13 to 16.
LANDFALL spyware capabilities
LANDFALL collected data comprehensively, accessing multiple sources on the compromised device. Among the functions, the following stood out:
- Audio recording via microphone in real time.
- Precise geographic location tracking.
- Extraction of photos, contacts and call history.
- Reading SMS and stored files.
After installation, the malware connected to a command and control server via HTTPS. This connection allowed for beaconing loops and the download of additional payloads, expanding its operations.
The modular architecture facilitated remote updates, adapting the spyware to emerging defenses. Researchers noted that the initial component referred to itself as “Bridge Head”, a common term in tool loaders from private cyberattack companies.
Patterns similar to known operations
LANDFALL’s control infrastructure had overlaps with the Stealth Falcon group, also called FruityArmor. This actor, linked to espionage in the Middle East since 2012, uses similar tactics in campaigns against terrorist attacks.ivists and journalists.
Domain registrations and C2 standards partially coincided, but without direct evidence until October 2025. The similarity suggests possible use of commercial tools by state or private actors.
The campaign avoided detection for months, with public samples on VirusTotal since July 2024. This exposes the difficulty in identifying exploits in open repositories.
Recurring vulnerabilities in image libraries
Flaws in DNG image processors emerge as a recurring vector in mobile attacks. In September 2025, Samsung patched CVE-2025-21043 in the same library, exploited in-the-wild, but with no direct link to LANDFALL.
WhatsApp reported in a similar period a chain of vulnerabilities in iOS and macOS, affecting less than 200 users. These cases indicate a wave of zero-click exploits in messaging apps.
The trend reflects attackers’ focus on shared libraries, such as libimagecodec.quram.so, to achieve remote execution. Regular updates mitigate risks, but patch delays prolong exposures.
Protective measures for users
Galaxy owners should check for security updates monthly. The April 2025 patch eliminated CVE-2025-21042, but outdated devices remain vulnerable.
Disable automatic media downloads on WhatsApp to reduce risks. Tools like Google Play Protect regularly scan apps and filesnte.
Companies with fleets of Samsung devices can use MDM to force patches. Monitor logs for image processing failures, flagging potential infections.
The campaign highlights the importance of rapid patches in Android ecosystems. With over 3 billion global users, delays affect massive scales of exposure.
