Ethical Hacking News
A new spyware called "LandFall" exploits a Samsung zero-day vulnerability via WhatsApp messages, targeting select users in the Middle East. This operation highlights the ongoing threats posed by commercial surveillance frameworks used in targeted intrusions.
The LandFall spyware exploits a zero-day vulnerability in Samsung's Android image processing library to deliver malicious images via WhatsApp. The attack targeted select Samsung Galaxy users in the Middle East, specifically Iraq, Iran, Turkey, and Morocco. The patch for the vulnerability was issued in April this year, but researchers found evidence that the LandFall operation continued to use it. LandFall spyware likely falls under commercial surveillance frameworks used in targeted intrusions and features advanced spying capabilities. Users are advised to apply security updates promptly, disable automatic media downloading on messaging apps, and consider activating 'Advanced Protection' on Android or 'Lockdown Mode' on iOS.
In a recent discovery, researchers at Palo Alto Networks’ Unit 42 have identified a new spyware called "LandFall" that exploits a zero-day vulnerability in Samsung’s Android image processing library to deliver malicious images sent over WhatsApp. The LandFall operation was active since at least July 2024 and targeted select Samsung Galaxy users in the Middle East, specifically Iraq, Iran, Turkey, and Morocco.
The security issue was patched this year in April, but researchers found evidence that the LandFall operation continued to use the exploited vulnerability. The zero-day, identified as CVE-2025-21042, is an out-of-bounds write in libimagecodec.quram.so and has a critical severity rating. A remote attacker successfully exploiting it can execute arbitrary code on a target device.
According to Unit 42’s analysis, LandFall spyware likely falls under the category of commercial surveillance frameworks used in targeted intrusions. The attacks begin with the delivery of a malformed .DNG raw image format with a .ZIP archive appended towards the end of the file.
To gain access to the victim's device, the attacker loads an additional module and modifies security settings on the device using the SELinux policy manipulator (l.so). This allows the malware to execute modules, achieve persistence, evade detection, and bypass protections. The LandFall spyware also features advanced spying capabilities such as microphone recording, call recording, location tracking, accessing photos, contacts, SMS, call logs, and files.
Furthermore, the spyware targets Galaxy S22, S23, and S24 series devices, as well as Z Fold 4 and Z Flip 4, covering a broad range of Samsung's latest flagship models. Notably, LandFall is another case of broader exploitation seen recently in commercial spyware tools.
The data from VirusTotal samples examined by Unit 42 reveals potential targets in the Middle East, Iraq, Iran, Turkey, and Morocco. Researchers identified six command-and-control (C2) servers associated with the LandFall campaign, some of which were flagged for malicious activity by Turkey's CERT.
While attribution is murky, researchers have linked C2 domain registration and infrastructure patterns to Stealth Falcon operations originating from the United Arab Emirates. Another clue lies in the use of the "Bridge Head" name for the loader component, a naming convention commonly seen in NSO Group, Variston, Cytrox, and Quadream products.
Despite these connections, LandFall could not be confidently linked to any known threat groups or spyware vendors. Therefore, it is essential for users to take proactive measures to protect themselves against spyware attacks.
Security experts advise applying security updates for your mobile OS and apps promptly, disabling automatic media downloading on messaging apps, and considering activating 'Advanced Protection' on Android and 'Lockdown Mode' on iOS.
Related Information:
https://www.ethicalhackingnews.com/articles/New-LandFall-Spyware-Exploits-Samsung-Zero-Day-via-WhatsApp-Messages-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-landfall-spyware-exploited-samsung-zero-day-via-whatsapp-messages/
https://nvd.nist.gov/vuln/detail/CVE-2025-21042
https://www.cvedetails.com/cve/CVE-2025-21042/
Published: Sat Nov 8 05:31:42 2025 by llama3.2 3B Q4_K_M
