Palo Alto Networks has identified a previously unknown surveillance platform, LandFall, that abused a zero‑day flaw in select Samsung Galaxy smartphones by weaponizing DNG image files sent over WhatsApp. The campaign has been active since at least July 2024; Samsung issued a fix only in April 2025, leaving roughly nine months of in‑the‑wild exploitation.
Technical details: CVE‑2025‑21042 in libimagecodec.quram.so
According to the analysis, LandFall targeted a high‑severity vulnerability, CVE‑2025‑21042 (CVSS 8.8), in Samsung’s image processing library libimagecodec.quram.so. The bug is an out‑of‑bounds write condition, which allows remote code execution when a malicious image is parsed. In practice, this enables arbitrary code to run on the device without user interaction—commonly referred to as a zero‑click exploit.
Delivery through WhatsApp and weaponized DNG files
The intrusion chain started with a DNG file delivered via WhatsApp. Researchers report the DNG packaged a hidden ZIP archive containing LandFall components. As soon as the OS or the app began processing the image (for example, to render a preview), the exploit triggered, executing attacker‑controlled code with no taps or clicks required. This technique is effective because messaging apps often auto‑process media for thumbnails and previews.
Why DNG is an attractive target for zero‑click exploits
DNG (Digital Negative) is a complex “raw” image format with extensive metadata support. The format’s complexity and less frequently tested edge cases increase attack surface in image parsers. LandFall follows a broader trend: researchers have recently documented DNG‑related parsing flaws in other ecosystems (CVE‑2025‑43300 on iOS and CVE‑2025‑55177 in WhatsApp). Historically, high‑impact media parsing bugs such as Android’s Stagefright (2015) and Apple’s FORCEDENTRY (2021) have been used for zero‑click delivery, as reported by Google Project Zero and Citizen Lab. The pattern underscores why media codecs remain a preferred initial access vector.
Targeting, geography, and infrastructure
Telemetry and samples uploaded to VirusTotal since 23 July 2024 tie LandFall activity to victims in Iraq, Iran, Turkey, and Morocco. Impacted models include Galaxy S22, S23, S24, and foldables Z Fold 4 and Z Flip 4. The then‑new S25 series was reported as not affected.
Investigators identified six command‑and‑control (C2) servers associated with the operation; some had been previously flagged as malicious by Turkey’s CERT. All observed deliveries leveraged WhatsApp as the entry channel.
Post‑exploitation: architecture and capabilities
LandFall comprises at least two core modules. The loader, b.so (also referenced as Bridge Head), fetches additional plugins on demand to expand functionality. The second module, l.so, alters SELinux policies to facilitate privilege escalation and persistence. Once resident, the malware collects a detailed device fingerprint—including IMEI, IMSI, SIM number, account parameters, Bluetooth information, geolocation, and installed apps—and supports further covert monitoring and control.
Attribution outlook: a commercial spyware ecosystem
While definitive attribution remains open, researchers assess LandFall as part of a commercial surveillance framework. The C2 infrastructure resembles assets previously linked to the UAE‑associated Stealth Falcon cluster, and the “Bridge Head” naming aligns with conventions seen among vendors such as NSO Group, Variston, Cytrox, and Quadream. These signals are suggestive, not conclusive, but indicate professional development and mercenary origins.
Mitigation and detection guidance
Patch immediately: Apply Samsung’s April 2025 (or newer) security updates addressing CVE‑2025‑21042.
Reduce media auto‑processing: Disable auto‑download/auto‑save features in WhatsApp and other messengers to limit automatic parsing of untrusted media.
Harden and monitor: Track changes to SELinux policies, monitor egress to unknown domains/IPs (especially newly registered infrastructure), and verify file integrity for image libraries (e.g., libimagecodec.quram.so).
Leverage MDM/EDR for Android: Enforce least‑privilege policies, restrict sideloading of modules, and collect device telemetry to spot anomalies.
Hunt with IoCs: Ingest indicators published by the researchers and run retrospective hunts across logs dating back to July 2024.
LandFall reinforces that media codecs remain a prime target for quiet, zero‑click compromise. Organizations and users should accelerate patch cycles, treat inbound media as untrusted, and strengthen device‑level telemetry. Shrinking zero‑day windows and rapidly detecting policy anomalies materially reduce the likelihood of durable, covert surveillance on mobile endpoints.
