The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Landfall Android Spyware

Nov 17, 2025 12:33:16 PM / by The Hivemind

LANDFALLANDROIDSPYWAREVerticals Targeted: Not specified
Regions Targeted: Middle East
Related Families: None

Executive Summary

A novel Android spyware family, dubbed Landfall, leveraged a zero-day vulnerability in Samsung's image processing library to compromise Galaxy devices. The campaign, active since mid-2024, enabled extensive surveillance capabilities and remained undetected until historical samples were analyzed post-patch.

Key Takeaways

  • Landfall exploits CVE-2025-21042 via malformed DNG image files, likely distributed through WhatsApp for zero-click installation on Samsung Galaxy models.
  • The spyware facilitates microphone recording, location tracking, and exfiltration of contacts, call logs, photos, and other sensitive data.
  • Infrastructure overlaps suggest ties to threat actors operating in the Middle East.
  • Samsung addressed the vulnerability in April 2025, although devices that have not been updated may still be vulnerable.

What is Landfall?

Palo Alto’s Unit 42 researchers detected Landfall while investigating a separate iOS exploit chain disclosed in August 2025, uncovering Android-specific samples. These files, named with WhatsApp conventions, embed a ZIP archive containing spyware components. Exploitation targets CVE-2025-21042 (also tracked as SVE-2024-1969), a flaw in the libimagecodec.quram.so library, that Samsung patched in its April 2025 security update following private reporting in September 2024. Targeted devices encompass specific Galaxy series builds, including S23, S24, Z Fold4, S22, and Z Flip4. 

The infection begins with processing the malformed DNG file, which triggers the vulnerability to extract and execute two primary components: an ARM64 ELF shared object loader and an XZ-compressed SELinux policy manipulator. The loader, internally referenced as "Bridge Head," handles initial beaconing to command-and-control (C2) servers via HTTPS on non-standard ports, transmitting device fingerprints including IMEI, IMSI, OS version, and installed applications.

Landfall's modular design supports downloading additional payloads for expanded functionality. Debug strings in b.so reveal potential commands for call recording, SMS collection, arbitrary file access, process injection, and persistence mechanisms. It manipulates SELinux policies to elevate privileges and monitors directories like WhatsApp Media for further instructions. Evasion techniques include detecting debuggers, Frida, and Xposed. Certificate pinning secures C2 communications.

IOCs

PolySwarm has multiple samples of Landfall.

 

9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93

c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e

b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d

29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483

b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18

 

You can use the following CLI command to search for all Landfall samples in our portal:

$ polyswarm link list -f Landfall

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Android Malware, DNG exploit, Landfall spyware, CVE-2025-21042, Samsung zero-day, mobile espionage, SELinux manipulation

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More