A unused, commercially competent Android spyware — named LANDFALL by Palo Alto Networks’ Unit 42 — has been utilized in the wild to compromise Samsung System phones by abusing a already obscure zero-day in Samsung’s image-processing library. The campaign, dynamic for numerous months some time recently a fix was discharged, utilized distorted Advanced Negative (DNG) pictures as the conveyance vehicle and given administrators with full-service reconnaissance capabilities on compromised handsets. The revelation raises new questions around how commercial reconnaissance instruments are procured and how portable merchants and informing stages identify and react to profoundly stealthy assaults.
Unit 42
What was found — a brief summary
Unit 42’s report depicts a already undocumented Android spyware family (LANDFALL) that was conveyed by abusing a basic imperfection followed as CVE-2025-21042 in Samsung’s picture handling library (the libimagecodec component). The abuse is conveyed interior uncommonly created DNG picture records that, when prepared by the defenseless library, permit inaccessible code execution and the extraction/launch of the spyware components. Unit 42’s telemetry places introductory noxious tests as early as July 2024, with the defenselessness secretly detailed to Samsung in late 2024 and a fix discharged by Samsung in April 2025.
Unit 42
+1
How the assault shows up to have worked
According to Unit 42’s specialized examination, aggressors inserted a compressed payload (shared question libraries) interior distorted DNG records. When the phone’s image-processing pipeline endeavored to translate the DNG, the made record activated an out-of-bounds compose (the CVE), which the assailants utilized to overwrite memory and accomplish code execution in the setting of the image-processing component. From there the payload uncompressed and stacked the LANDFALL spyware, which at that point set up tirelessness and inaccessible command-and-control to exfiltrate information and acknowledge farther observation enlightening. The conveyance component emphatically proposes the aggressors favored message apps (tests carry names reliable with WhatsApp pictures), meaning the picture may have been conveyed in a one-to-one discussion or bunch and weaponized to run without any self-evident client interaction.
Unit 42
+1
What LANDFALL can do
Once introduced, LANDFALL carries on like a cutting edge, full-spectrum commercial spyware bundle. The watched capabilities include:
Microphone recording (live or planned), empowering spying on adjacent conversations.
Geolocation collection and ceaseless area tracking.
Exfiltration of photographs, recordings and other media.
Harvesting contacts, SMS, call logs and files.
Execution of subjective commands, likely empowering encourage measured usefulness (uploading extra plugins, livestreaming camera, etc.).
This set of highlights is steady with commercial reconnaissance offerings promoted to governments and law-enforcement clients: measured, remote-controlled, and profoundly meddlesome. Unit 42’s turn around designing appears LANDFALL was outlined to target particular Universe models (S22/S23/S24 families and a few Z models) and Android forms (generally Android 13–15), in spite of the fact that the basic blemish may have influenced a broader set of gadgets.
Unit 42
+1
Timeline & scope
July 2024: To begin with noxious DNG tests connected to LANDFALL show up in Virus Total and other telemetry.
Unit 42
Sept. 25, 2024: Unit 42’s timeline demonstrates this was when the powerlessness was secretly detailed to Samsung.
Unit 42
April 2025: Samsung discharges a fix to settle the powerless picture handling library (SVE/CVE admonitory). Unit 42 says the helplessness had been abused in the wild earlier to the fix.
Unit 42
Multiple security outlets announcing on Unit 42’s work — TechCrunch, Thickeners, Security Week and others — put the clear geographic center of the campaign in the Center East (Iraq, Iran, Turkey and Morocco show up in related malware test metadata), in spite of the fact that Unit 42 is cautious to halt brief of authoritative attribution. There are too watched framework covers with a reconnaissance on-screen character verifiably followed as Stealth Bird of prey, a bunch already related with focusing on dissenters and writers — but Unit 42 cautions that these covers are not conclusive verification of who created or sold LANDFALL.
TechCrunch
+1
Attribution — commercial merchant or nation-state?
Two entwined actualities complicate attribution:
Tool advancement and measured quality. LANDFALL looks “commercial grade” — secluded payloads, arrangement records, and built-in C2 controls steady with spyware items sold to government clients. A few announcing outlets utilize the express “commercial-grade,” reflecting Unit 42’s appraisal.
Unit 42
+1
Infrastructure covers. Unit 42 watched fractional covers in foundation and strategies with performing artists already related with focused on reconnaissance operations, such as clusters that have been connected to Stealth Hawk. Those covers are suggestive but not authoritative; deals and re-use of tooling, shared foundation, or contracting between sellers and state performing artists can all make comparable designs. Unit 42 subsequently takes off attribution open, noticing that the associations warrant encourage examination but are inadequately to property to a particular seller or support.
Unit 42
+1
Why picture records and informing apps make viable assault vectors
Image groups — and particularly progressed Crude holders like DNG — are complex, with parsers that acknowledge settled, compressed information. A imperfection in the parser can be activated simply by seeing or essentially by the OS system handling an picture. Informing apps that consequently download and cache pictures (WhatsApp, Wire, etc.) can in this manner ended up conveyance instruments for “zero-click” or low-interaction supply chains: the casualty doesn’t require to tap or open anything if the stage or OS forms the picture in the foundation. That noiseless preparing is what makes this course of helplessness so perilous: the abuse can execute some time recently the client is mindful of any suspicious substance. Numerous later campaigns (counting both iOS and Android chains) have utilized created mixed media records for accurately this reason.
The Programmer News
+1
How broad is the chance today?
Samsung fixed CVE-2025-21042 in April 2025, so fixed gadgets ought to not be helpless to this specific abuse. Unit 42 and others emphasize that early tests were dynamic in mid-2024 through early 2025, and the fixing window is as of now closed — meaning the prompt specialized hazard from this particular zero-day is moderated for clients who introduced upgrades. Be that as it may, the greater operational chance remains: assailants persistently look for modern zero-days, and commercial spyware merchants have more than once weaponized them. The disclosure of LANDFALL is a update of the require for quick fixing, danger insights sharing, and cautious taking care of of suspicious media records.
Unit 42
+1
Practical location and relief steps
For users
Update presently. If your Samsung gadget hasn’t gotten or introduced Android/security upgrades since April 2025, introduce them promptly. Sellers fix known blemishes; fixing dispenses with the simple course this campaign utilized.
Unit 42
Limit programmed media downloads. In apps like WhatsApp, cripple programmed download of pictures and other media, or arrange it to download as it were over Wi-Fi — and maintain a strategic distance from opening media from obscure or untrusted senders.
The Programmer News
Use antivirus/endpoint apps from legitimate sellers on high-value gadgets and consider a manufacturing plant reset if you suspect compromise (but as it were after backing up fundamental uninfected information and in a perfect world with direction from a security professional).
Watch for pointers. Unexplained battery deplete, bizarre information utilization, microphone/camera enactment without reason, or obscure apps showing up in your launcher can be ruddy flags.
For organizations & defenders
Patch rapidly. Prioritize overhauls for defenseless gadget armadas and implement versatile gadget administration (MDM) approaches that piece unpatched gadgets from delicate systems.
Unit 42
Monitor C2 pointers. Unit 42’s report incorporates IoCs (spaces, record hashes, foundation designs) that SOC groups can ingest into discovery devices. Convey organize departure observing to identify unordinary associations from versatile gadgets.
Unit 42
Coordinate revelation & reaction. When merchants discharge patches, facilitate communication to clients and supply chain accomplices so defenseless gadgets are upgraded rapidly.
Bigger picture — what this implies for portable security
LANDFALL is the most recent in a string of modern multi-component campaigns that weaponize zero-day imperfections in OS or seller libraries combined with effective reconnaissance inserts. The commercial spyware advertise makes request for high-quality abuses and a turn-key conveyance framework that can target particular gadget makes and models; that request makes a difference maintain abuse markets and makes zero-click-style assaults down to earth for a broader set of on-screen characters. The industry reaction — superior code inspecting for complex parsers, quicker fix sending, and progressed telemetry from message apps and OS merchants — must quicken to keep up.
Unit 42
+1
Final thoughts
LANDFALL’s disclosure appears how a single blemish in a broadly utilized component (an picture codec) can be manhandled to roll out a strong reconnaissance capability at scale. We presently know the misuse was utilized in the wild months some time recently a fix, that assailants favored a stealthy image-as-carrier strategy, and that the spyware advertised capabilities normal of commercial reconnaissance toolkits. For people and organizations the takeaways are direct: keep gadgets overhauled, constrain programmed taking care of of media from untrusted sources, and treat any reports of zero-day abuse truly — since the specialized mechanics that made LANDFALL conceivable can and will be reused unless resistances and operational hones improve.
Sources & assist reading
Unit 42, Palo Alto Systems — specialized report on LANDFALL (investigation, IoCs, timeline).
Unit 42
TechCrunch — scope summarizing Unit 42’s discoveries and geographic scope.
TechCrunch
Thickeners — subtle elements on CVE-2025-21042, provide strategy, influenced models.
The Programmer News
Security Week / DarkReading / SecurityAffairs — authenticating announcing and setting for industry reaction.
Security Week
+1
Forbes — detailing on how the pictures were likely conveyed and assist commentary on biological system affect.
Forbes
0 Comments