The **LANDFALL** spyware campaign exploited a zero-day vulnerability (**CVE-2025-21042**) in Samsung’s Android image processing library, targeting Galaxy devices (S22, S23, S24, Z Fold4, Z Flip4). Distributed via malformed DNG image files on WhatsApp, the malware enabled **extensive surveillance**—including microphone recording, location tracking, call log theft, and extraction of photos, contacts, and SMS messages. The attack leveraged **SELinux manipulation** for persistence and evasion, with evidence linking it to **commercial spyware operations** (e.g., Stealth Falcon, Variston framework) and **targeted intrusions in the Middle East** (Iraq, Iran, Turkey, Morocco). The vulnerability remained unpatched until **April 2025**, exposing users for nearly a year. While Samsung later patched related flaws (e.g., **CVE-2025-21043**), the campaign’s **modular design** suggests potential for expanded payloads. The attack’s **sophistication**—combining zero-day exploitation, encrypted C2 communication, and anti-forensic techniques—highlights risks to **high-profile individuals, government entities, and critical infrastructure** in the region. Palo Alto’s Unit 42 confirmed **no WhatsApp vulnerabilities** were involved, but the use of a **trusted messaging platform** amplified the attack’s reach and credibility.
Source: https://gbhackers.com/samsung-0-day-vulnerability/
Samsung Mobile cybersecurity rating report: https://www.rankiteo.com/company/samsungmobile
"id": "sam1862118110825",
"linkid": "samsungmobile",
"type": "Vulnerability",
"date": "4/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': ['users of Samsung Galaxy '
'S22/S23/S24, Z Fold4, Z Flip4 '
'in Middle East (Iraq, Iran, '
'Turkey, Morocco)'],
'industry': 'technology (consumer electronics)',
'location': 'South Korea (global operations)',
'name': 'Samsung Electronics',
'size': 'large enterprise',
'type': 'corporation'},
{'location': ['Iraq', 'Iran', 'Turkey', 'Morocco'],
'name': 'Individual targets in Middle East',
'type': 'individuals/government entities'}],
'attack_vector': ['malicious DNG image files',
'WhatsApp messaging platform',
'CVE-2025-21042 (Samsung image processing library)'],
'customer_advisories': ['Samsung security bulletins', 'media reports'],
'data_breach': {'data_encryption': ['SELinux policy manipulation for '
'persistence'],
'data_exfiltration': True,
'file_types_exposed': ['DNG images (malicious payload)',
'photos',
'SMS databases',
'contact lists'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (personal and surveillance data)',
'type_of_data_compromised': ['PII (contacts, SMS, photos)',
'geolocation data',
'call logs',
'microphone recordings']},
'date_detected': '2024-07',
'date_resolved': '2025-04',
'description': 'Cybersecurity researchers at Unit 42 uncovered a '
'sophisticated Android spyware campaign, dubbed LANDFALL, '
'which exploited a zero-day vulnerability (CVE-2025-21042) in '
'Samsung Galaxy devices. The malware leveraged a critical flaw '
'in Samsung’s image processing library to deliver '
'commercial-grade surveillance capabilities via maliciously '
'crafted DNG image files sent through WhatsApp. The campaign '
'targeted devices in the Middle East, including Iraq, Iran, '
'Turkey, and Morocco, and exhibited tradecraft patterns linked '
'to commercial spyware operations (e.g., Stealth Falcon, '
'Variston). The spyware enabled extensive surveillance '
'(microphone recording, location tracking, data exfiltration) '
'and used evasion techniques to bypass Android’s SELinux '
'policies. Samsung patched the vulnerability in April 2025, '
'with an additional related fix (CVE-2025-21043) in September '
'2025.',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'Samsung',
'concerns over device security'],
'data_compromised': ['microphone recordings',
'location data',
'call logs',
'photos',
'contacts',
'SMS messages'],
'identity_theft_risk': ['high (PII exfiltration)',
'location tracking'],
'systems_affected': ['Samsung Galaxy S22/S23/S24',
'Z Fold4',
'Z Flip4']},
'initial_access_broker': {'backdoors_established': ['SELinux policy '
'manipulation',
'persistent C2 '
'communication via '
'HTTPS/ephemeral ports'],
'entry_point': 'malicious DNG files via WhatsApp',
'high_value_targets': ['government/individual '
'targets in Middle East'],
'reconnaissance_period': '2024-01 to 2025-02 '
'(samples uploaded to '
'VirusTotal)'},
'investigation_status': 'ongoing (tracked as CL-UNK-1054 by Unit 42)',
'lessons_learned': ['Zero-day vulnerabilities in image processing libraries '
'are increasingly weaponized across mobile platforms '
'(similar iOS exploits in 2025).',
'Commercial spyware actors leverage ephemeral '
'infrastructure (e.g., non-standard TCP ports) and '
'modular architectures to evade detection.',
'Supply chain risks extend to messaging platforms '
'(WhatsApp) used as delivery mechanisms, even without '
'platform vulnerabilities.',
'SELinux policy manipulation is a critical evasion '
'technique for Android malware persistence.'],
'motivation': ['surveillance',
'targeted espionage',
'commercial spyware deployment'],
'post_incident_analysis': {'corrective_actions': ['Samsung patched '
'CVE-2025-21042 (April '
'2025) and CVE-2025-21043 '
'(September 2025).',
'Palo Alto Networks updated '
'detection signatures for '
'LANDFALL indicators.',
'Ongoing attribution '
'analysis by Unit 42 '
'(CL-UNK-1054).'],
'root_causes': ['Unpatched zero-day in Samsung’s '
'image processing library '
'(CVE-2025-21042).',
'Lack of validation for malformed '
'DNG files in Android’s media '
'stack.',
'Exploitation of WhatsApp as a '
'trusted delivery vector.',
'Commercial spyware tradecraft '
'(e.g., modular architecture, '
'evasion techniques).']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Apply Samsung security patches promptly (April 2025 or '
'later).',
'Monitor for suspicious DNG/JPPEG files received via '
'messaging apps.',
'Deploy advanced threat detection tools (e.g., Palo Alto '
'Networks’ WildFire).',
'Audit device permissions and SELinux policies for '
'anomalies.',
'Educate users on risks of unsolicited image files, even '
'from known contacts.',
'Investigate potential links to commercial spyware '
'vendors (e.g., NSO Group, Variston).'],
'references': [{'source': 'Unit 42 (Palo Alto Networks)'},
{'source': 'VirusTotal (malicious DNG samples)',
'url': 'https://www.virustotal.com'},
{'source': 'Samsung Security Updates (CVE-2025-21042, '
'CVE-2025-21043)'}],
'response': {'communication_strategy': ['public advisory via Unit 42 report',
'media coverage'],
'containment_measures': ['Samsung security patches (April 2025, '
'September 2025)',
'Palo Alto Networks detection updates '
'(Advanced WildFire, URL Filtering, DNS '
'Security, Threat Prevention)'],
'enhanced_monitoring': ['Palo Alto Networks threat detection '
'tools'],
'incident_response_plan_activated': True,
'remediation_measures': ['device security updates',
'malware signature updates'],
'third_party_assistance': ['Unit 42 (Palo Alto Networks)']},
'stakeholder_advisories': ['Palo Alto Networks customers notified via product '
'updates'],
'threat_actor': ['potentially linked to Stealth Falcon',
'possible ties to Variston spyware framework',
'private sector offensive actors (PSOAs)'],
'title': 'LANDFALL Android Spyware Campaign Exploiting Samsung Zero-Day '
'(CVE-2025-21042)',
'type': ['spyware', 'zero-day exploit', 'targeted intrusion'],
'vulnerability_exploited': 'CVE-2025-21042 (Samsung Android image processing '
'library)'}