Samsung Zero-Click on On Flaw Exploited To Deploy LANDFALL Android Adware By Manner Of WhatsApp

A now-patched security flaw in Samsung Galaxy Android models was exploited as a zero-day to ship a “commercial-grade” Android adware dubbed LANDFALL in targeted assaults inside the Heart East.

The train involved the exploitation of CVE-2025-21042 (CVSS ranking: 8.8), an out-of-bounds write flaw inside the “libimagecodec.quram.so” factor which may allow distant attackers to execute arbitrary code, primarily based on Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025.

“This vulnerability was actively exploited inside the wild sooner than Samsung patched it in April 2025, following evaluations of in-the-wild assaults,” Unit 42 said. Potential targets of the train, tracked as CL-UNK-1054, are positioned in Iraq, Iran, Turkey, and Morocco based totally on VirusTotal submission info.

The occasion comes as Samsung disclosed in September 2025 that one different flaw within the similar library (CVE-2025-21043, CVSS ranking: 8.8) had moreover been exploited inside the wild as a zero-day. There isn’t any proof of this security flaw being weaponized inside the LANDFALL advertising and marketing marketing campaign.

It’s assessed that the assaults involved sending by the use of WhatsApp malicious images inside the kind of DNG (Digital Unfavorable) info, with proof of LANDFALL samples going all one of the best ways once more to July 23, 2024. That’s based totally on DNG artifacts bearing names like “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg” and “IMG-20240723-WA0000.jpg.”

LANDFALL, as quickly as put in and executed, acts as an entire spy instrument, in a position to harvesting delicate info, along with microphone recording, location, images, contacts, SMS, info, and title logs. The exploit chain is alleged to have attainable involved utilizing a zero-click technique to set off exploitation of CVE-2025-21042 with out requiring any particular person interaction.

Flowchart for LANDFALL adware

It’s worth noting that throughout the similar time WhatsApp disclosed {{that a}} flaw in its messaging app for iOS and macOS (CVE-2025-55177, CVSS ranking: 5.4) was chained along with CVE-2025-43300 (CVSS ranking: 8.8), a flaw in Apple iOS, iPadOS, and macOS, to in all probability aim decrease than 200 prospects as part of an advanced advertising and marketing marketing campaign. Apple and WhatsApp have since patched the failings.

Timeline for contemporary malicious DNG image info and associated exploit train

Unit 42’s analysis of the discovered DNG info current that they arrive with an embedded ZIP file appended to the highest of the file, with the exploit getting used to extract a shared object library from the archive to run the adware. Moreover present inside the archive is one different shared object that’s designed to control the gadget’s SELinux protection to grant LANDFALL elevated permissions and facilitate persistence.

The shared object that lots LANDFALL moreover communicates with a command-and-control (C2) server over HTTPS to enter proper right into a beaconing loop and acquire unspecified next-stage payloads for subsequent execution.

It’s presently not acknowledged who’s behind the adware or the advertising and marketing marketing campaign. That said, Unit 42 said LANDFALL’s C2 infrastructure and space registration patterns dovetail with that of Stealth Falcon (aka FruityArmor), although, as of October 2025, no direct overlaps between the two clusters have been detected.

“From the preliminary look of samples in July 2024, this train highlights how refined exploits can keep in public repositories for an extended interval sooner than being completely understood,” Unit 42 said.