For about a year aggressors discreetly utilized extraordinarily made picture records to break into Samsung World phones, introduce capable spyware and siphon off receivers, photographs, area and more — all without casualties clicking a interface or opening a record. Security analysts at Palo Alto Networks’ Unit 42 have named the campaign LANDFALL, and their examination appears the aggressor misused a already obscure powerlessness in Samsung’s image-processing library to convey commercial‑grade spyware by means of distorted picture records.
Unit 42
+1
Below I walk through what happened, how the danger worked, who was focused on, and — most vitally — what clients and chairmen ought to do right now.
What the analysts found
Unit 42’s examination revealed an Android spyware family they call LANDFALL that was conveyed by abusing a zero‑day helplessness in a Samsung picture parsing library (the library alluded to as libimagecodec.quram.so). The powerlessness is followed as CVE‑2025‑21042 in Unit 42’s writeup and has a tall seriousness (analysts report an out‑of‑bounds compose that empowers farther code execution). The misuse was weaponized by implanting the malevolent payload interior extraordinarily made Computerized Negative (DNG) / picture records. When the powerless picture decoder prepared those records, it seem be constrained to run aggressor code — no client interaction fundamental in numerous cases.
Unit 42
+1
Unit 42 says tests date back to July 23, 2024, and the spyware campaign ran through much of 2024 into 2025 some time recently being unveiled. The assailants show up to have utilized informing stages — strikingly WhatsApp — to provide the controlled pictures, making the operation stealthy and low-friction for the foe.
Unit 42
+1
Other security outlets that surveyed Unit 42’s inquire about freely affirm the wide subtle elements: a zero‑day focusing on Samsung’s picture taking care of, DNG pictures utilized as the vector, and the revelation inciting facilitated patches by Samsung.
Digital Trends
+1
How a “no‑click” picture misuse works (plain English)
Most malware needs the client to do something: press a interface, open a record, run an app. “Zero‑click” or “no‑click” assaults evacuate that step. Here’s the rearranged chain utilized in LANDFALL:
Craft a noxious picture record that intentioned damages desires (degenerate headers, awful sizes, contorted metadata) to trigger a bug profound interior the phone’s picture interpreting library.
Deliver the record to the target — through WhatsApp, MMS, e-mail, or other channels where pictures are naturally handled by the accepting gadget or the informing app.
Trigger happens consequently when the phone (or the app) parses the picture (for illustration, to make a thumbnail or see). If that parser has a memory‑safety bug (like an out‑of‑bounds compose), the pernicious picture can capture execution and run code chosen by the attacker.
Install the spyware payload and start reconnaissance (receiver recording, screenshots/photos exfiltration, area, contacts, call logs).
Unit 42
That “no click” portion comes from the reality that numerous informing stages and gadget components naturally handle approaching pictures — making thumbnails, ordering, or producing sneak peaks — and the abuse mishandle that programmed work to run without the client ever tapping the image.
What LANDFALL seem do
According to Unit 42, once LANDFALL was introduced it given the aggressor wide reconnaissance capabilities normal of commercial spyware:
Record sound from the microphone.
Capture photographs and conceivably screenshots.
Track area and movement.
Exfiltrate contacts, call logs and put away media.
Maintain perseverance and communicate with command‑and‑control servers.
Unit 42
Because the spyware is “commercial‑grade,” it’s outlined to be steady, stealthy, and competent of long‑term observation of high‑value targets. Reports demonstrate focusing on in the Center East and the disease list centered on a extend of Universe leads (Unit 42 notices System S22/S23/S24 arrangement and select Z‑Fold/Z‑Flip models as inside the influenced families).
Unit 42
+1
Who was targeted?
Unit 42’s telemetry and artifact investigation demonstrates a focused on campaign or maybe than wide, unpredictable mass dissemination. Media scope and territorial detailing propose casualties in parts of the Center East and North Africa among others; in any case, the full scope is hazy and likely constrained to particular people or organizations of intrigued to the aggressors. Analysts did not conclusively trait the campaign to a named state on-screen character in their open writeup.
Unit 42
+1
Patches and timeline — is it fixed?
Samsung issued security overhauls tending to vulnerabilities in its image‑processing components. Unit 42’s divulgence notes that the particular blemish misused by LANDFALL (CVE‑2025‑21042) has been fixed; Samsung moreover afterward fixed a moment related zero‑day (CVE‑2025‑21043) in the same library. The basic point: introduce the vendor‑supplied security upgrades (Samsung’s April 2025 and consequent overhauls, and any afterward SMR/patch discharges) as before long as they’re accessible for your gadget. Different security outlets and seller advisories affirm Samsung pushed fixes in 2025 after private notices from security groups.
Unit 42
+1
If your phone has not gotten or introduced April 2025 (or afterward) upgrades, it may still be at hazard. Clients ought to check Settings → Computer program overhaul → Download and introduce (or the comparable on their World show) and affirm establishment of security patches dated April 2025 or afterward.
Hindustan Times
Practical, quick steps for clients and admins
Update presently. Introduce the most recent Samsung security overhauls (April 2025 fix and any ensuing discharges). This is the single most critical step.
Unit 42
+1
Limit programmed handling of approaching media. In WhatsApp and comparable apps, impair auto‑download of media and sneak peaks where conceivable (Settings → Capacity and Information → Media Auto‑Download in WhatsApp). That decreases introduction to made pictures being prepared consequently.
The Programmer News
Harden informing apps. Keep WhatsApp and other informing apps up to date; utilize confirmed apps from the official store; maintain a strategic distance from utilizing modified/third‑party clients.
Scan for peculiarities. Check for unordinary battery deplete, unexplained information utilization, obscure apps, or startling foundation action. These can be pointers of compromise. If you suspect contamination, disconnect the gadget (plane mode), back up imperative information, and counsel a portable forensics proficient.
Unit 42
Assume focused on clients may require proficient offer assistance. High‑value targets (activists, writers, officials) ought to counsel security occurrence reaction groups — evacuating advanced spyware may require scientific apparatuses and reinstallation of firmware.
Unit 42
Detection challenges
Zero‑click picture misuses are unsafe since they take off less self-evident follows: there’s no malevolent connect to tap and no app introduce provoke to spot. The malevolent movement frequently happens in favored local libraries and may see like typical framework behavior. Unit 42 notes LANDFALL was planned for stealth and tirelessness, which complicates location without specialized tooling. If you oversee gadgets centrally (MDM/EMM), see for unordinary outbound associations and connect bizarre telemetry (CPU spikes, organize utilization) with approaching media timestamps.
Unit 42
Broader implications
LANDFALL highlights three stressing trends:
Attackers progressively weaponize media parsing code. Image/video parsers are complex C/C++ code with verifiable memory‑safety issues — appealing targets for misuse.
Unit 42
Zero‑click methods decrease the adequacy of client instruction. Telling individuals “don’t press suspicious links” won’t halt assaults that abuse programmed preparing. Resistances must come from way better stage solidifying and opportune fixing.
netlas.io
Commercial spyware proceeds to multiply. The highlights and polished skill in LANDFALL are steady with commercially delivered observation apparatuses sold to governments or advanced on-screen characters. That raises protection and arrangement questions past a single defenselessness.
0 Comments