LANDFALL is a previously undocumented Android spyware family observed targeting Samsung Galaxy devices via malformed DNG (Digital Negative) image files. The campaign exploited CVE-2025-21042, a zero-day in Samsung’s image-processing library, to achieve remote code execution—likely with a zero-click path when images were received over WhatsApp. Activity appears to have begun by July 2024 and continued into early 2025, predating Samsung’s April 2025 patch. Once resident, LANDFALL enabled full-spectrum surveillance, including microphone recording, location tracking, and exfiltration of photos, contacts, call logs and other device data. Targeting and infrastructure suggest a Middle East and North Africa focus. Attribution remains open; overlaps in tradecraft point toward commercial spyware ecosystems, but no vendor link is conclusive.
Delivery hinged on DNG images that concealed an appended ZIP payload. When processed by vulnerable Samsung devices (notably Galaxy S22, S23, S24, Z Fold4 and Z Flip4 on specific builds), the exploit unpacked native components and executed a loader referred to in its own debug strings as “Bridge Head” (b.so). A companion module (l.so) manipulated SELinux policy to elevate permissions and aid persistence. The loader supports dynamic loading of additional .so and DEX modules, process injection and LD_PRELOAD-style execution, and communicates with command-and-control over HTTPS using certificate pinning and structured POST beacons that enumerate device and agent metadata. No new WhatsApp vulnerability was required; WhatsApp appears to have served as a convenient delivery channel because media is routinely auto-downloaded and processed on many devices.
Malicious DNG samples were submitted to public malware repositories beginning in July 2024. The underlying Samsung vulnerability was privately reported in September 2024 and patched in April 2025. Parallel disclosures on iOS and additional DNG-related issues (including Samsung’s CVE-2025-21043 and Apple’s CVE-2025-43300, as well as a WhatsApp-side issue used in other chains) surfaced in August–September 2025, underscoring a broader wave of DNG parsing abuse across mobile platforms. Organizations with Samsung fleets that lagged April 2025 updates should assume possible exposure during that window.
For affected devices, the impact is severe: covert audio capture, location monitoring, collection of communications metadata and content, and arbitrary file theft. The campaign shows hallmarks of targeted operations, with indicators pointing to victims in Iran, Iraq, Turkey and Morocco. Although some infrastructure and naming conventions echo known private-sector offensive actors and Middle East–linked operations, available evidence does not support definitive attribution.
Prioritize patching and verification. Ensure every Samsung device has applied the April 2025 security update (and later) and that WhatsApp and other messaging apps are current. Where policy allows, disable automatic media download to reduce silent parsing of inbound images. If a device may have been exposed during the vulnerable period or shows suspicious behavior, isolate it from networks, preserve evidence, and prefer a full firmware reflash over simple app removal; restoring from known-good backups only after reimage minimizes the risk of reinfection. For enterprises, enforce update compliance via MDM/EMM, restrict app permissions (especially microphone, location and external storage), and deploy Mobile Threat Defense capable of detecting anomalous native libraries, SELinux policy tampering, and process injection. Hunt retrospectively for DNG files with appended ZIP content in WhatsApp media folders, for unexpected native .so files or “Bridge Head” strings in app directories, and for unusual HTTPS POST beacons from mobile endpoints shortly after media receipt. Where indicators of compromise are found, block associated domains and IPs, reimage affected devices, and notify potentially targeted users with clear guidance.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.