Threat Research

LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices

Unit42
LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices

Unit 42 uncovered LANDFALL, a previously unknown Android spyware family targeting Samsung Galaxy devices that was delivered via malformed DNG image files exploiting a zero-day in Samsung’s image processing library (CVE-2025-21042) and active in mid-2024 through early 2025. The campaign used embedded shared object payloads and infrastructure consistent with commercial spyware operations targeting the Middle East and involved C2 servers such as brightvideodesigns[.]com and IPs like 92.243.65[.]240. #LANDFALL #CVE-2025-21042

Keypoints

  • LANDFALL is Android spyware designed specifically for Samsung Galaxy devices, used in targeted intrusion activities mainly in the Middle East.
  • The spyware was delivered via malformed DNG (Digital Negative) image files that contained embedded ZIP archives extracting .so components, exploiting CVE-2025-21042 in Samsung’s libimagecodec.quram.so.
  • LANDFALL’s main loader (b.so) and an SELinux policy manipulator (l.so) were embedded in the DNG samples and provide capabilities for loading additional modules, manipulating SELinux, and persistence.
  • b.so supports extensive device fingerprinting, data exfiltration (microphone, calls, SMS, photos, contacts, files), dynamic loading of next-stage payloads, and defense-evasion checks (Frida, Xposed, debugger detection, TLS pinning).
  • Command-and-control infrastructure includes multiple domains and IPs (e.g., brightvideodesigns[.]com – 194.76.224[.]127; healthyeatingontherun[.]com – 92.243.65[.]240) observed from Oct 2024 through Sept 2025.
  • The campaign predates public disclosures of related DNG image exploits on other platforms, remained active and undetected for months, and shares tradecraft/infrastructure patterns with commercial PSOA-like operations.
  • Samsung patched CVE-2025-21042 in April 2025 and a related DNG vulnerability CVE-2025-21043 in September 2025, removing the exploited vector for patched devices.

MITRE Techniques

  • [T1204] User Execution – Malicious DNG images appear to have been delivered via WhatsApp filenames (e.g., ‘WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg’), enabling delivery: ‘Judging by their filenames… attackers likely delivered these samples via WhatsApp.’
  • [T1203] Exploitation for Client Execution – Exploited a zero-day in Samsung image processing library (CVE-2025-21042) via malformed DNG files to achieve code execution: ‘these DNG files exploit CVE-2025-21042… The exploit extracts shared object library (.so) files from the embedded ZIP archive to run LANDFALL spyware.’
  • [T1620] Reflective Code Loading / DLL Side-Loading-like – Loader extracts and loads shared objects from embedded archives and memory (e.g., writes aa.so/dec_a.so and uses LD_PRELOAD to execute): ‘writes the raw bytes to a staging file named aa.so… decompresses… writes to dec_a.so… LD_PRELOAD= …’
  • [T1609] Injecting/Victim Process Injection – Uses LD_PRELOAD and preloading techniques to execute staged shared objects in other processes: ‘LD_PRELOAD= PRELOAD_PATH=/data/data/com.samsung.ipservice/files/l.so /system/bin/id’.
  • [T1543] Create or Modify System Process – Manipulates SELinux policy at runtime via an extracted policy manipulator to gain elevated permissions: ‘l.so implements a generic engine that can dynamically parse and load new SELinux policy statements… modifying the running policy in memory.’
  • [T1082] System Information Discovery – Gathers device fingerprinting details including OS version, IMEI, IMSI, installed apps, VPN status, and more: ‘Device Fingerprinting … OS version, Hardware ID (IMEI), SIM/Subscriber ID (IMSI)…’
  • [T1016] System Network Configuration Discovery – Collects network configuration and VPN status as part of device fingerprinting: ‘Device Fingerprinting … Network configuration … VPN status.’
  • [T1071] Application Layer Protocol – C2 communication via HTTPS POSTs with pinned TLS and custom POST parameters to C2 servers: ‘b.so component of LANDFALL communicates with its C2 server over HTTPS… initial POST request containing detailed device and spyware information.’
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates collected data (audio, calls, contacts, photos, arbitrary files) over HTTPS to C2: ‘Recording microphone … Camera photos … Arbitrary files’ and staged HTTPS upload behavior.
  • [T1497] Virtualization/Sandbox Evasion – Detects debugging and instrumentation frameworks (TracerPid, Frida, Xposed) to evade analysis: ‘Detecting TracerPid debugger, Detecting Frida instrumentation framework, Detecting Xposed framework.’

Indicators of Compromise

  • [File Hash ] DNG image samples and embedded components – 9297888746158e38…56f93 (WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg), b06dec10e8ad0005…97756 (img-20250120-wa0005.jpg)
  • [File Hash ] LANDFALL components – ffeeb0356abb56c5…42ffe2 (b.so), 69cf56ac6f3888ef…955ee (l.so)
  • [Domain ] C2 infrastructure – brightvideodesigns[.]com (associated with 194.76.224[.]127), healthyeatingontherun[.]com (associated with 92.243.65[.]240)
  • [IP Address ] C2 servers – 92.243.65[.]240 (seen Oct. 11, 2024–Sept. 2, 2025), 194.76.224[.]127 (seen Feb. 7, 2025–Sept. 19, 2025)
  • [Filename ] Delivery filenames / WhatsApp indicators – ‘WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg’, ‘IMG-20240723-WA0000.jpg’ indicating likely WhatsApp delivery.

Read more: https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint