Executive Summary

In late 2025, Palo Alto Networks’ Unit 42 unveiled LANDFALL, a previously unknown and highly sophisticated Android spyware family crafted specifically for Samsung Galaxy devices. Delivered through maliciously crafted DNG image files — often disguised as innocent WhatsApp photos — LANDFALL represents a new milestone in mobile exploitation: commercial-grade surveillance capabilities delivered through zero-click image parsing vulnerabilities.

LANDFALL exploited a Samsung zero-day (CVE-2025-21042) as early as mid-2024, long before the vulnerability was disclosed or patched. The campaign shows hallmarks of operations typically associated with private-sector offensive actors (PSOAs) and advanced nation-state buyers in the Middle East.

This article provides a deep-dive analysis, contextualizing LANDFALL within the growing ecosystem of DNG-based exploit chains affecting both Android and Apple devices, and offering CISOs concrete recommendations to reduce exposure.

What Is LANDFALL?

LANDFALL is a modular Android spyware framework engineered to silently infiltrate Samsung Galaxy devices and extract virtually every category of personal and system data, including:

Live microphone recordings
Device location
Photos & media
SMS, contacts, call logs
Application databases
WhatsApp directory monitoring
SELinux manipulation for long-term persistence

It is not a mass-distribution malware. Evidence indicates a targeted espionage campaign focused mainly on the Middle East, with VirusTotal submissions originating from Turkey, Iraq, Iran, and Morocco.

LANDFALL’s architecture and tradecraft strongly suggest a commercial-grade espionage vendor rather than traditional cybercrime groups.

The Exploit Chain: Zero-Click Through Malformed DNG Images

LANDFALL relies on a critical vulnerability in Samsung’s image-processing library (libimagecodec.quram.so), tracked as:

CVE-2025-21042 (Samsung SVE-2024-1969)

Attackers embedded a ZIP archive inside malicious DNG image files. When the image was automatically processed by Samsung’s library — for instance via WhatsApp image preview — the payload executed without user interaction.

The infection chain:

Victim receives a WhatsApp image (jpg/dng) that shows no visible threat.
Samsung’s image codec processes the file.
The DNG exploit extracts and loads .so components from a hidden ZIP.
LANDFALL gains execution and deploys:
- b.so → the main backdoor (“Bridge Head” loader)
- l.so → SELinux policy manipulator
The spyware establishes persistence and connects to remote C2 servers via HTTPS.

This delivery model mirrors recent Apple exploit chains, especially those involving CVE-2025-43300 (DNG parsing zero-day) and WhatsApp’s CVE-2025-55177 vulnerability.

LANDFALL proves that image-based zero-click exploits are no longer iOS-only territory.

A New Trend: DNG Image Format as a Cross-Platform Exploitation Vector

Over 2024–2025, a series of high-profile discoveries revealed DNG processing flaws across multiple ecosystems. The pattern includes:

Samsung

CVE-2025-21042 (April patch)
CVE-2025-21043 (September patch)

Apple iOS

CVE-2025-43300 (August patch)

CVE-2025-55177 (zero-click URL loading vulnerability)

This clustering indicates a systematic interest by threat actors in DNG processing pipelines — especially those used by messaging apps that auto-preview images.

LANDFALL is, so far, the most methodical and long-running exploitation of this vector.

Technical Deep Dive: How LANDFALL Operates

Components Inside the Malicious DNG Files

LANDFALL’s payload resides in two critical components:

b.so – the Loader (“Bridge Head”)

ARM64 ELF shared object
Acts as initial backdoor
Performs device fingerprinting
Loads additional modules (.so, DEX) at runtime
Manages C2 communication
Performs anti-debug, anti-Frida, anti-Xposed checks
Uses certificate pinning

l.so – SELinux Manipulation Engine

Extracted from XZ-compressed ELF
Appears designed to modify SELinux policies
Enables privileged operations
Aids persistence and evasion

The presence of SELinux tampering capabilities indicates extremely high technical maturity.

LANDFALL Capabilities: Full Espionage Toolkit

LANDFALL supports an extensive suite of spying and operational functions:

Surveillance & Data Collection

Device geolocation
Microphone recording
Call recording
Contacts, call logs, messages
Browser databases
File exfiltration, including photos

Execution & Persistence

Dynamic loading of native modules
DEX execution
LD_PRELOAD abuse
SELinux bypass
Monitoring WhatsApp media for incoming payloads
Filesystem manipulation

Evasion

Anti-debugging (TracerPid)
Detection of Frida & Xposed
Namespace manipulation
Cleanup of image payload traces

LANDFALL has targeted Samsung Galaxy S22, S23, S24, Z Fold4, Z Flip4 — confirming a precise victim set.

Command & Control Infrastructure

The malware communicates via HTTPS on non-default TCP ports, masquerading traffic with custom headers and pinned certificates.

Known C2 servers linked to LANDFALL include:

brightvideodesigns[.]com
hotelsitereview[.]com
healthyeatingontherun[.]com
projectmanagerskills[.]com

IPs span Sweden, Germany, and France — consistent with PSOA-style infrastructure setups.

Attribution Analysis: A PSOA Fingerprint

LANDFALL exhibits clear hallmarks of private-sector spyware vendors:

use of image-based zero-click chain
SELinux policy manipulation
custom loader named “Bridge Head” (commonly used in NSO, Variston, Cytrox tooling)
complex multi-stage architecture
C2 infrastructure overlapping with tradecraft of Stealth Falcon-style groups

Although attribution is not confirmed, technical similarities point to Middle Eastern PSOAs or their clients.

Unit 42 tracks the threat as CL-UNK-1054.

Timeline of the LANDFALL Campaign

Date	Event
July 2024	First malicious DNG samples uploaded to VirusTotal
Sept 2024	Vulnerability privately reported to Samsung
April 2025	Samsung patches CVE-2025-21042
Aug 2025	Apple & WhatsApp patch similar DNG RCE chains
Aug 2025	LANDFALL discovered during iOS exploit hunt
Sept 2025	Samsung patches CVE-2025-21043

LANDFALL was operational for nearly a year before patching.

Impact for CISOs and Security Teams

LANDFALL illustrates a new frontier in mobile exploitation:

1. Messaging apps are now delivery vectors even without user interaction

Auto-image parsing is enough.

2Mobile devices remain the weakest point in enterprise security

Especially personal BYOD phones.

Zero-click PSOA-grade spyware is becoming multi-platform

No longer limited to Pegasus-like iOS targeting.

DNG image format must be considered a high-risk file type

Enterprises should evaluate whether DNG parsing is needed at all.

Samsung and Android ecosystems must accelerate patch rollout compliance

Recommendations for CISOs

Short-Term (0–30 Days)

✔ Enforce Mobile OS patch levels in MDM/Intune
✔ Block DNG file types in messaging gateways (if possible)
✔ Require app isolation (Samsung Knox / Android Enterprise Work Profile)
✔ Enable hardware-based attestation

Medium-Term (30–90 Days)

✔ Audit corporate WhatsApp usage policies
✔ Deploy mobile threat defense (MTD) solutions
✔ Monitor network egress for known LANDFALL C2 domains

Long-Term Strategic

✔ Adopt a Zero-Trust Mobile strategy
✔ Integrate mobile telemetry into SIEM/SOAR
✔ Require vendor-level SBOM & secure image pipeline documentation

LANDFALL is a reminder: modern APT-grade spyware no longer needs your users to click anything.

Indicators of Compromise (IOCs)

Command-and-Control (C2) Domains

brightvideodesigns.com
healthyeatingontherun.com
hotelsitereview.com
projectmanagerskills.com

Command-and-Control (C2) IP Addresses

45.155.250.158
46.246.28.75
91.132.92.35
92.243.65.240
192.36.57.56
194.76.224.127

Malware SHA-256 Hashes (All Samples Identified)

Malicious DNG / JPEG / TIFF Containers
b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756
c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e
9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93
b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d
29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483
b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18

LANDFALL Spyware Components (b.so, loaders)
d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0
384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd
a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495
ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2

SELinux Manipulation Components (l, l.so, XZ archives)
2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a
69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee
211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261

Filenames Observed in the Wild

These filenames strongly suggest delivery via WhatsApp media auto-download:

WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg
IMG-20250120-WA0005.jpg
WhatsApp Image 2024-08-27 at 11.48.40 AM.jpeg
PHOTO-2024-08-27-11-48-41.jpg
IMG-20240723-WA0001.jpg
IMG-20240723-WA0000.jpg
1.jpeg
2.tiff
localfile~
b.so
l
6357fc.zip

Conclusion

LANDFALL is one of the most advanced Android espionage tools ever publicly documented.
Its zero-click delivery, DNG abuse, SELinux manipulation, and commercial-grade architecture place it firmly in the category of PSOA-developed spyware, engineered for nation-state clients.

For CISOs and security teams, LANDFALL underscores the need to treat mobile devices as Tier-1 assets — not exceptions to the enterprise security model.

The threat landscape has changed: the next generation of mobile spyware will not ask for permission.

ByG.C.Moresi