A newly disclosed zero-day vulnerability in Samsung Galaxy smartphones has been actively exploited in the wild to deploy a sophisticated Android spyware framework known as LANDFALL.
The flaw, tracked as CVE-2025-21042, resides in Samsung’s image-processing library libimagecodec.quram.so and allows remote code execution through specially crafted image files.
Overview
Researchers discovered that threat actors used malicious DNG or JPEG files to trigger the vulnerability. The attack can occur with little to no user interaction. For example, simply receiving an image via messaging apps like WhatsApp may trigger exploitation. Once executed, LANDFALL installs multiple native components granting the attacker full control over the device, including microphone, camera, GPS, and data exfiltration.
Evidence suggests the campaign began in mid-2024 and primarily targeted Samsung Galaxy S22–S24, Z Fold 4, and Z Flip 4 models running Android 13–15. Most infections were observed in the Middle East (Iraq, Iran, Turkey, Morocco), indicating a targeted espionage operation likely linked to a private-sector offensive actor or state-sponsored group.
Samsung quietly patched the vulnerability in its April 2025 security update, but many devices remain unpatched, leaving users exposed. CISA has since added CVE-2025-21042 to its Known Exploited Vulnerabilities (KEV) catalog.
Attack Chain
- Delivery of malicious image file (often via encrypted messaging apps).
- Out-of-bounds write triggered in libimagecodec.quram.so.
- Payload extracted and executed under system context.
- Installation of spyware modules (“b.so”, “l.so”) that modify SELinux policies for persistence.
- C2 communication over HTTPS to attacker-controlled infrastructure, enabling continuous surveillance.
Impact
Successful exploitation grants full access to user data, communications, and system functions. For enterprises, a compromised Samsung device represents a direct threat to corporate email, messaging, and authentication systems. The stealthy nature of LANDFALL allows long-term data theft without visible indicators.
Indicators of Compromise
- Suspicious .dng or .jpg files with appended ZIP data (e.g., “WhatsApp Image 2025-02-10.jpg”).
- Unexpected native libraries in /system/lib64/ such as b.so or l.so.
- Outbound HTTPS traffic to domains including brightvideodesigns[.]com and related IP 194.76.224[.]127.
Mitigation
- Update immediately: Ensure April 2025 or newer Samsung security patches are installed.
- Verify MDM compliance: Require devices to auto-update and restrict users from disabling security updates.
- Monitor traffic: Hunt for connections to known LANDFALL C2 domains or anomalous outbound HTTPS activity.
- User awareness: Warn staff not to open unexpected image attachments and report suspicious device behavior.
- High-risk personnel: Executives and field staff should use hardened or non-Samsung devices until patching is confirmed.
OP Innovate Assessment
The LANDFALL campaign highlights a continuing trend of image-based zero-click exploits targeting Android ecosystems. Although currently focused on Samsung, the techniques used could be adapted to other OEMs.
Given its stealth, regional targeting, and advanced persistence, OP Innovate assesses this threat as High Risk for organizations operating in or communicating with the Middle East and recommends immediate patch verification and mobile threat-hunting actions.
Stay Safe. Stay Secure.
OP Innovate Research Team
