A now-patched safety flaw in Samsung Galaxy Android units was exploited as a zero-day to ship a “commercial-grade” Android adware dubbed LANDFALL in focused assaults within the Center East.
The exercise concerned the exploitation of CVE-2025-21042 (CVSS rating: 8.8), an out-of-bounds write flaw within the “libimagecodec.quram.so” element that might permit distant attackers to execute arbitrary code, based on Palo Alto Networks Unit 42. The difficulty was addressed by Samsung in April 2025.
“This vulnerability was actively exploited within the wild earlier than Samsung patched it in April 2025, following reviews of in-the-wild assaults,” Unit 42 stated. Potential targets of the exercise, tracked as CL-UNK-1054, are positioned in Iraq, Iran, Turkey, and Morocco primarily based on VirusTotal submission information.
The event comes as Samsung disclosed in September 2025 that one other flaw in the identical library (CVE-2025-21043, CVSS rating: 8.8) had additionally been exploited within the wild as a zero-day. There isn’t any proof of this safety flaw being weaponized within the LANDFALL marketing campaign.
It is assessed that the assaults concerned sending by way of WhatsApp malicious photographs within the type of DNG (Digital Unfavorable) information, with proof of LANDFALL samples going all the best way again to July 23, 2024. That is primarily based on DNG artifacts bearing names like “WhatsApp Picture 2025-02-10 at 4.54.17 PM.jpeg” and “IMG-20240723-WA0000.jpg.”
LANDFALL, as soon as put in and executed, acts as a complete spy instrument, able to harvesting delicate information, together with microphone recording, location, photographs, contacts, SMS, information, and name logs. The exploit chain is alleged to have possible concerned using a zero-click strategy to set off exploitation of CVE-2025-21042 with out requiring any person interplay.
 |
| Flowchart for LANDFALL adware |
It is price noting that across the identical time WhatsApp disclosed {that a} flaw in its messaging app for iOS and macOS (CVE-2025-55177, CVSS rating: 5.4) was chained together with CVE-2025-43300 (CVSS rating: 8.8), a flaw in Apple iOS, iPadOS, and macOS, to probably goal lower than 200 customers as a part of a complicated marketing campaign. Apple and WhatsApp have since patched the failings.
 |
| Timeline for latest malicious DNG picture information and related exploit exercise |
Unit 42’s evaluation of the found DNG information present that they arrive with an embedded ZIP file appended to the top of the file, with the exploit getting used to extract a shared object library from the archive to run the adware. Additionally current within the archive is one other shared object that is designed to govern the gadget’s SELinux coverage to grant LANDFALL elevated permissions and facilitate persistence.
The shared object that masses LANDFALL additionally communicates with a command-and-control (C2) server over HTTPS to enter right into a beaconing loop and obtain unspecified next-stage payloads for subsequent execution.
It is presently not recognized who’s behind the adware or the marketing campaign. That stated, Unit 42 stated LANDFALL’s C2 infrastructure and area registration patterns dovetail with that of Stealth Falcon (aka FruityArmor), though, as of October 2025, no direct overlaps between the 2 clusters have been detected.
“From the preliminary look of samples in July 2024, this exercise highlights how refined exploits can stay in public repositories for an prolonged interval earlier than being totally understood,” Unit 42 stated.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s tendencies right now: learn extra, subscribe to our e-newsletter, and turn out to be a part of the NextTech neighborhood at NextTech-news.com
