LANDFALL Spyware Hits Samsung Devices

Published Date: November 13, 2025
Category: ShadowOpsIntel
Share:

LANDFALL is a newly discovered commercial-grade Android spyware designed specifically to target Samsung Galaxy devices. It was deployed using zero-click exploit chains, delivered via malicious DNG image files through WhatsApp. The campaign, active between mid-2024 and early 2025, was uncovered by Unit 42 and is believed to have targeted entities in the Middle East.

Severity: High

Exploitation Chain

  • Primary vulnerability exploited: CVE-2025-21042 in Samsung’s libimagecodec.quram.so.
  • Targeted Devices: Galaxy Z Fold4, Galaxy Z Flip4, Samsung Galaxy S22, S23, S24 Series.
  • Delivered through malformed DNG image files (Digital Negative format).
  • Likely distributed via WhatsApp as zero-click or user-assisted payloads.
  • Related vulnerabilities in ecosystem: CVE-2025-21043 (Samsung), CVE-2025-43300 (Apple DNG), CVE-2025-55177 (WhatsApp redirection).

Spyware Capabilities

LANDFALL is modular, consisting of:

  • b.so – Primary loader and beaconing agent (“Bridge Head”).
  • l.so – SELinux policy manipulator, enabling privilege escalation.

Key features:

  • Surveillance: Microphone & call recording, camera, screenshots, SMS, contacts, location tracking.
  • System manipulation: SELinux bypass, process injection, persistence via Android app directories.
  • Anti-analysis: Detection of Frida, Xposed, debugger tracing, root mode handling.
  • Exfiltration: Secure HTTPS C2 with certificate pinning, non-standard ports, JSON-based telemetry.

Potential Threat Actor Links

  • C2 infrastructure shows overlap with Stealth Falcon-style operations.
  • Debug artifacts reference “Bridge Head”, similar to terminology used by Variston and NSO Group spyware.
  • No direct attribution, but patterns suggest use by Private Sector Offensive Actors (PSOAs).

Persistence & Evasion

  • Uses SELinux policy loader to dynamically patch memory and elevate privileges.
  • Resides in /data/data/com.samsung.ipservice/files/.
  • Leverages LD_PRELOAD techniques and encrypted staging to maintain stealth.
  • Cleanup routines ensure minimal forensic residue post-infection.

Recommendations

  1. Ensure all affected Samsung devices are updated with September 2025 security patches or later.
  2. Educate users about risks of opening unsolicited media, especially via WhatsApp and similar platforms.
  3. Disable media auto-download features on messaging apps in high-risk environments.
  4. Ensure third-party apps (e.g., WhatsApp) are fully updated to patch vulnerabilities like CVE-2025-55177.
  5. Leverage mobile device management (MDM) solutions to enforce app-level and OS-level restrictions.
  6. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/2f68a764036cff75a7d93caf5514d0cde0548c7cfedc042f2cf8a3129c52c7bd/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert