A complicated spy ware operation focusing on Samsung Galaxy units, dubbed LANDFALL, which exploited a zero-day vulnerability to infiltrate telephones by seemingly innocuous pictures shared on WhatsApp.
This marketing campaign, lively since mid-2024, allowed attackers to deploy commercial-grade Android malware able to full gadget surveillance with out person interplay.
The invention underscores ongoing threats from state-linked surveillance instruments within the Center East, the place such intrusions have turn out to be alarmingly frequent.
Unit 42’s investigation started in mid-2025 whereas probing iOS exploit samples, resulting in the unearthing of Android-specific malware embedded in Digital Unfavorable (DNG) picture recordsdata.
These recordsdata, usually disguised with WhatsApp-style names like “IMG-20240723-WA0000.jpg,” have been uploaded to VirusTotal from places together with Morocco, Iran, Iraq, and Turkey between July 2024 and early 2025.
Embedded in ZIP File (Supply: Unit 42)
Researchers decided that LANDFALL leveraged CVE-2025-21042, a essential flaw in Samsung’s picture processing library libimagecodec.quram.so, patched in April 2025 after in-the-wild exploitation experiences surfaced.
In contrast to comparable iOS assaults disclosed in August and September 2025, this Android chain predated these occasions and confirmed no flaws in WhatsApp itself.
The operation’s precision suggests focused espionage fairly than broad distribution, with infrastructure overlaps to distributors like Stealth Falcon, recognized for hitting Emirati activists since 2012.
Samsung 0-Day Exploited Through WhatsApp
The assault chain relied on malformed DNG recordsdata containing an appended ZIP archive, tricking the weak library into extracting and executing shared object (.so) libraries that put in the spy ware.
Assault Chain (Supply: Unit 42)
Upon an infection, LANDFALL granted attackers entry to microphones for recording, exact GPS monitoring, and harvesting of pictures, contacts, name logs, and messages.
It particularly focused Galaxy fashions just like the S22, S23, S24, and Z collection working Android 13 to fifteen, enabling zero-click deployment through messaging apps.
This mirrors patterns in current iOS exploits however highlights a recurring weak spot in cellular picture processors throughout platforms.
Samsung’s September 2025 patch for CVE-2025-21043 addressed a associated zero-day in the identical library, bolstering defenses in opposition to future image-based assaults.
Regardless of the patches, the marketing campaign evaded detection for almost a 12 months, emphasizing the stealth of private-sector offensive actors (PSOAs) in regional surveillance.
For present Samsung customers, the danger is mitigated since each vulnerabilities are patched, however the revelation exposes how business spy ware distributors provide instruments to governments for unchecked spying.
Unit 42 famous no attribution to particular actors, however the Center East focus aligns with prior PSOAs operations. Specialists urge vigilance on picture previews in apps like WhatsApp and advocate well timed updates to avert comparable threats.
This case joins a wave of cellular exploits, from Pegasus to current iOS chains, signaling an arms race the place zero-days stay a primary weapon.
As spy ware evolves, collaboration between distributors like Samsung and researchers is essential to outpace attackers.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
