Overview
- Landfall abused CVE-2025-21042, an out-of-bounds write in Samsung’s libimagecodec.quram.so, enabling remote code execution via images likely sent over WhatsApp, with Samsung issuing a fix in April 2025.
- The malicious DNG files carried an appended ZIP that deployed a loader (b.so) and a SELinux policy manipulator (l.so) to gain elevated permissions, persist on devices, and communicate over certificate-pinned HTTPS to six identified C2 servers, including one IP flagged by Turkey’s USOM.
- The campaign ran from at least July 2024 into early 2025 and referenced specific targets among Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models, with evidence pointing to Android versions roughly 13 through 15.
- Once installed, the spyware supported wide-ranging surveillance features such as microphone and call recording, location tracking, and exfiltration of photos, messages, contacts, call logs, browsing history, and other files.
- Attribution remains unresolved, though infrastructure and domain patterns resemble operations linked to Stealth Falcon, and researchers place Landfall within a broader wave of DNG-based mobile exploit activity; defenders are advised to stay patched and limit automatic media downloads.