LANDFALL: Samsung Zero-Day Exploit

Posted on

In targeted attacks across the Middle East, attackers weaponized a now-patched Samsung image-codec zero-day (CVE-2025-21042) to deliver a modular Android spyware family dubbed LANDFALL. The delivery method abused DNG/JPEG image files (sent via WhatsApp in some cases) that contained appended ZIP archives with shared object libraries; the exploit extracted and executed these components, manipulated SELinux to escalate permissions, and contacted C2 infrastructure to fetch further modules. Samsung patched the underlying library in April 2025.

What happened (high level)

  • Attackers used a vulnerability in Samsung’s image processing library libimagecodec.quram.so (CVE-2025-21042, out-of-bounds write) to achieve remote code execution on affected Galaxy devices.
  • Exploits were embedded in DNG/JPEG images that contained an appended ZIP. The ZIP held a loader .so and the LANDFALL payload; after extraction the loader modified SELinux policy to elevate privileges and establish persistence.
  • The loader beaconed to C2 over HTTPS to fetch additional modules; LANDFALL is modular and capable of microphone recording, location and photo exfiltration, SMS/call logs, contacts, and arbitrary file access.

Vulnerability details

  • Vulnerability: CVE-2025-21042 — an out-of-bounds write in libimagecodec.quram.so (Samsung’s image codec library). This can be triggered by specially crafted image data resulting in arbitrary code execution on affected firmware versions. The NVD entry confirms arbitrary code execution risk and lists the April-2025 patch window.
  • Exploitation approach: The DNG files included an appended ZIP archive (a classic polyglot/concatenation trick). The code path that decodes DNG images is tricked into reading beyond bounds and executing code which extracts and loads the included .so loader. This bypasses conventional file-type checks because the file appears to be a media image.

LANDFALL anatomy & capabilities

  • Loader: Extracted from the appended ZIP, loads a shared object into memory and performs local privilege changes, including attempts to relax SELinux constraints so later modules gain elevated permissions.
  • Modularity: The loader contacts a C2 server over HTTPS, enters a beacon loop, and can download additional stages — the recovered samples show a surveillance suite for microphone recording, location, photos, contacts, SMS, files, and call logs.
  • Target profile: Unit 42 observed targeting focused on Samsung Galaxy S22/S23/S24 series and Z Fold4 / Z Flip4 family (flagship devices), excluding the very latest generation at the time

Timeline & context

  • LANDFALL artifacts tracked back to at least July 23, 2024 (based on artifact timestamps / VirusTotal submissions) and continued through early 2025; Samsung patched CVE-2025-21042 in April 2025. Unit 42’s analysis and public reporting were released later, correlating the DNG artifacts and exploitation timeline.
  • Related activity in 2025 included iOS/macOS targeted campaigns that abused WhatsApp/OS vulnerabilities (CVE-2025-55177 chained with CVE-2025-43300) — different chains, but similar targeted-espionage patterns and low-volume high-value targets.

Indicators of compromise (IOCs) & detection guidance

File / local detection

  • Look for media files (DNG/JPEG) with unusual file size inflation or ZIP/PK header bytes appended beyond expected image EOF. A quick signature: PK\x03\x04 or other ZIP signature appended to an image file.
  • On-device: presence of unfamiliar .so files in writable app directories (e.g., app data, cache) or unexpected native library loads in non-system apps.

Process & API monitoring

  • Unexpected processes or apps performing dlopen() on libraries that are not part of package resources.
  • Calls to SELinux policy modification APIs or execution attempts of setenforce 0 (or manipulation of policy files) should be high-priority alerts.

Network detection

  • HTTPS connections to uncommon domains immediately after image receipt, especially GET/POST patterns that include short beacons or repeated polling intervals. Monitor for encrypted POSTs to newly registered domains or domains with registration patterns matching known C2 setup. (Unit 42 noted similarities of some domains/registrations to previous clusters, but no definitive overlap.)

Hunting queries (example)

  • Search storage for image files where tail -c 4 file | xxd shows 50 4b 03 04 (ZIP local file header) after typical image EOF markers.
  • On Android device forensic images: grep -r "PK\x03\x04" /data/data /sdcard (careful with false positives).
  • EMM/MDM logs: flag devices with sudden outbound connections to low-reputation HTTPS hosts within minutes after receiving WhatsApp/IM attachments.

Mitigations & recommended defenses

Immediate user actions

  • Patch: Ensure Samsung devices are updated to the April-2025 Security Maintenance Release (SMR) or later that resolves CVE-2025-21042. Vendors’ firmware/security pages list the affected SMR release.
  • WhatsApp & apps: Keep WhatsApp and other messaging apps updated; WhatsApp patched related link-processing flaws in 2025 that were used in separate campaigns.

Enterprise controls

  • Enforce mobile OS updates via MDM; require minimum OS/SMR levels for corporate devices.
  • Restrict installing apps from unknown sources; prevent local sideloading for corporate devices.
  • Use egress filtering / allow-list for device outbound HTTPS destinations where practical; proxy or TLS inspection can help flag unusual C2 traffic patterns.
  • Implement mobile endpoint detection (EDR for Android) that monitors native library loads, SELinux changes, and suspicious access to microphone/files/contacts.

Post-compromise / remediation

  • If compromise is suspected, isolate the device (remove network access), collect relevant logs/artifacts, and consider a factory reset after forensic acquisition if the device will be reissued. Note that some advanced spyware persists across reboots and may survive backups — forensic acquisition before wiping is best practice.

Forensic suggestions

  • Full file system image if possible (forensic image via ADB/agent or via device imaging procedures).
  • Acquire WhatsApp message DB (if stored) and attachments, with timestamps (to correlate delivery to infection).
  • Collect native artifact files (.so), /data/data/*/files/ and cache directories, SELinux policy files, and logcat output capturing process loads and native crashes.
  • Network captures (pcap) from the device’s network or proxied traffic to analyze C2 patterns.

Conclusion

LANDFALL demonstrates how classic tricks (media polyglots, image-codec bugs) combined with modern modular spyware yield high-impact, targeted espionage. The technical takeaways are straightforward: keep devices and apps patched, instrument detections for media-based delivery and SELinux manipulation, and treat suspicious inbound media attachments as high-severity on managed devices. Public reporting (Unit 42, NVD, vendor advisories) is the baseline — use it to populate IOCs and harden detection rules quickly

Leave a Reply

Your email address will not be published. Required fields are marked *