Listen to this Post
A new wave of cyber espionage has hit Samsung Galaxy users, revealing the alarming sophistication of modern spyware. Researchers at Palo Alto Networks’ Unit 42 have uncovered a highly advanced Android malware campaign, dubbed LANDFALL, which exploited a previously unknown zero-day vulnerability in Samsung devices. Delivered through seemingly harmless WhatsApp images, this spyware allowed attackers to execute remote surveillance without any user interaction, highlighting both the cunning of threat actors and the urgency for robust mobile security.
Sophisticated Malware Hides in Plain Sight
The LANDFALL campaign targeted Samsung Galaxy devices, including the S22, S23, S24, Z Fold4, and Z Flip4 models. Beginning in mid-2024, months before Samsung patched the vulnerability in April 2025, attackers embedded malicious code in specially crafted DNG (Digital Negative) image files that appeared as ordinary WhatsApp images. The filenames, such as “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg,” mimicked typical user-generated content to evade suspicion.
This attack leveraged CVE-2025-21042, a critical flaw in Samsung’s libimagecodec.quram.so library. The vulnerability allowed zero-click remote code execution, meaning recipients could be infected simply by receiving the image—no interaction required. Such tactics mirror prior exploit chains targeting iOS, underlining the growing cross-platform sophistication of spyware operators.
Discovery and Analysis
Unit 42 uncovered LANDFALL while investigating a parallel iOS exploit chain reported in August 2025. Researchers found six malicious DNG samples uploaded to VirusTotal between July 2024 and February 2025, each containing ZIP archives with spyware components. The malware’s b.so module communicated with its command-and-control (C2) server over HTTPS using unconventional TCP ports, evading standard network monitoring.
Advanced Spyware Capabilities
LANDFALL’s capabilities are extensive. The malware can record audio, intercept calls, track location, and exfiltrate photos, contacts, SMS messages, call logs, and browsing history. Additionally, it includes anti-analysis measures to detect debugging tools and security frameworks, highlighting the commercial-grade sophistication typical of private sector offensive actors (PSOAs).
Technical infrastructure analysis suggests links to Middle Eastern threat actors, particularly the Stealth Falcon group from the UAE. LANDFALL’s loader, termed “Bridge Head,” hints at connections with the Variston spyware framework, known to supply tools to regional intelligence entities.
Patching and Mitigation
Samsung patched CVE-2025-21042 in April 2025, followed by a related fix for CVE-2025-21043 in September 2025. Users with updated firmware are protected against these specific threats. This campaign underscores the growing risk of DNG image processing vulnerabilities, mirrored by Apple’s patch of CVE-2025-43300 in August 2025 and WhatsApp’s fix of CVE-2025-55177. Palo Alto Networks customers are safeguarded through Advanced WildFire, URL Filtering, DNS Security, and Threat Prevention tools, with Unit 42 offering incident response for compromised organizations.
Indicators of Compromise
Key malicious files identified include SHA256 hashes for DNG images, ZIP archives, and executable components like b.so. These indicators can assist security teams in identifying potential breaches on targeted devices.
What Undercode Say:
The LANDFALL campaign demonstrates how mobile spyware has evolved beyond simple phishing and trojans into highly targeted, zero-click espionage tools. By leveraging media files—a vector previously considered benign—attackers can bypass traditional user-focused security measures. This shift illustrates the strategic value of embedded malware within trusted communication channels, such as WhatsApp.
Analyzing the malware’s structure reveals that LANDFALL is designed for persistent surveillance. Its ability to access microphones, call logs, and location data indicates that threat actors prioritized both data exfiltration and stealth. The use of non-standard ports and encrypted communication channels further complicates detection by conventional network defenses.
The geographical focus and infrastructure similarities suggest a state-affiliated or PSOA origin, highlighting an ongoing trend in geopolitical cyber operations targeting civilians and organizations in sensitive regions. This aligns with broader intelligence reports that emphasize the Middle East as a hotspot for cyber-espionage campaigns leveraging commercial spyware.
LANDFALL’s exploitation of DNG images also marks a convergence of multimedia vulnerabilities across platforms. The mirrored Apple iOS exploits show that attackers are increasingly crafting cross-platform attack strategies, where knowledge from one ecosystem informs the other. This raises the stakes for mobile security, requiring continuous patch management and proactive threat intelligence.
Furthermore, the campaign underscores the lag between vulnerability exploitation and patch deployment. Attackers operated for months before fixes were applied, exploiting the window where users were unprotected. For security teams, this emphasizes the importance of monitoring unusual network behavior and suspicious media file activity—even from trusted messaging apps.
From a broader cybersecurity lens, LANDFALL illustrates how commercial spyware frameworks are becoming modular and adaptable, allowing actors to quickly weaponize vulnerabilities in emerging mobile technologies. Its infrastructure and operational security suggest a significant investment in development, indicating that advanced persistent threats are no longer limited to desktops or enterprise networks—they are now pervasive across mobile devices globally.
The implications for user privacy are severe. With access to personal communications, media, and geolocation, the potential for surveillance and profiling is high. Organizations and individuals must consider layered defenses, including real-time threat intelligence, endpoint protection, and user awareness campaigns, to counter increasingly invisible threats.
🔍 Fact Checker Results
✅ LANDFALL exploited CVE-2025-21042 in Samsung devices.
✅ The malware delivered via WhatsApp images required no user interaction.
❌ There is no evidence that this vulnerability affected non-flagship Samsung models.
📊 Prediction
As mobile spyware becomes more sophisticated, we can expect multi-vector attacks leveraging media files to become mainstream. Users may see an increase in zero-click exploits targeting messaging apps, while device manufacturers will accelerate real-time vulnerability detection and patch deployment. Cybercriminals are likely to expand regional targeting, with commercial spyware increasingly used for surveillance, data theft, and intelligence operations across borders. Emerging AI-based malware detection tools may help mitigate risks, but persistent threats like LANDFALL highlight the urgent need for proactive, global mobile cybersecurity strategies.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




