A sophisticated spyware operation, dubbed LANDFALL, has been uncovered targeting Samsung Galaxy smartphones through a zero-day vulnerability exploited in WhatsApp image files. The campaign, active since mid-2024, enabled attackers to silently install surveillance-grade malware capable of complete device monitoring — all without user interaction.
Zero-Day Exploit Hidden in WhatsApp Images
The LANDFALL operation leveraged a flaw identified as CVE-2025-21042, located in Samsung’s image processing library (libimagecodec.quram.so). Attackers weaponized Digital Negative (DNG) image files, disguised as harmless WhatsApp photos with names like IMG-20240723-WA0000.jpg.
When opened or previewed, these images triggered the vulnerability, allowing malware execution. The infected files were uploaded to VirusTotal from regions such as Morocco, Iran, Iraq, and Turkey, signaling a targeted campaign across the Middle East.
How the Attack Worked
Researchers from Unit 42 discovered that the malicious DNG files contained embedded ZIP archives with shared object (.so) libraries. These payloads were extracted and executed by the vulnerable image library, effectively installing the spyware with zero user interaction.
Once deployed, LANDFALL granted attackers extensive control over infected devices — including:
- Microphone and camera access for live surveillance
- GPS tracking for precise location monitoring
- Data theft from photos, contacts, messages, and call logs
The spyware primarily targeted Galaxy S22, S23, S24, and Z series running Android 13–15, highlighting the attackers’ precision and focus on high-value devices.
State-Linked Surveillance Indicators
While no group has been officially attributed, the infrastructure overlaps with known private-sector offensive actors (PSOAs), including Stealth Falcon, a surveillance vendor tied to past campaigns against Emirati activists.
This finding suggests that LANDFALL was not a broad criminal operation, but a state-linked espionage effort using commercial-grade spyware for regional intelligence gathering.
Samsung’s Security Response
Samsung patched CVE-2025-21042 in April 2025 after reports of active exploitation. A subsequent September 2025 update fixed a related zero-day (CVE-2025-21043) in the same library, strengthening defenses against image-based attacks.
Despite these patches, LANDFALL remained undetected for months, showcasing the stealth and persistence of modern spyware vendors.
Protecting Against Image-Based Exploits
Experts advise all Samsung users to:
- Install the latest security updates immediately.
- Avoid opening unknown image attachments or ZIP files in messaging apps.
- Disable image previews in sensitive communication apps, where possible.
- Use mobile security software that scans for malicious payloads.
The LANDFALL campaign echoes a disturbing trend of zero-click exploits, similar to Apple’s iOS spyware chains and infamous tools like Pegasus. It underscores how image-processing flaws have become a new front in the battle for mobile security.
The Bigger Picture
LANDFALL’s discovery is another reminder that spyware is evolving faster than public defenses. With private-sector vendors selling these tools to governments, the line between cybersecurity and cyberwarfare is blurring.
To stay ahead, collaboration between tech companies, researchers, and policymakers is crucial. Each newly patched vulnerability is a step forward — but also a signal that the digital arms race is far from over.
