Attackers revived zero-click delivery against Samsung Galaxy by hiding exploit code inside malformed DNG images shared over WhatsApp. The chain abused a critical image-parsing vulnerability (CVE-2025-21042) in Samsung’s library, which enabled remote code execution without taps. After first execution, the LandFall spyware loaded modules, adjusted SELinux policy, and began comprehensive data collection. Consequently, incident responders should treat any suspicious media-driven execution as a high-priority compromise.
Impact on enterprise and high-risk users: Android spyware campaign risk
This campaign pressures mobile EDR and MTD controls because it lands through a trusted app and a benign-looking image. Consequently, device owners who handle sensitive communications executives, journalists, diplomats, legal staff face elevated risk. Once LandFall runs, it can capture microphone audio, call logs, SMS, files, photos, and location; therefore, organizations must assume data exposure and identity risk immediately and prioritize mobile IR alongside workstation playbooks.
Infection chain: DNG image payloads sent via WhatsApp
The lure arrives as a DNG image. Although it renders like a standard photo, the file carries an appended archive segment that triggers the Samsung image-processing bug during parsing. As a result, the payload executes with no user interaction, then stages two core components: a loader that retrieves additional modules and a SELinux policy manipulator that raises privileges and stabilizes persistence. Because the message thread looks routine, detection often starts only after abnormal network or permission activity.
New evasion and delivery: image-parsing abuse and SELinux manipulation
By abusing the device’s image pipeline, LandFall sidesteps traditional attachment filters and many scanner heuristics. Then it quietly modifies SELinux rules to grant itself broader reach. Consequently, defenders should baseline SELinux policy state across managed devices and alert on policy changes, unexpected module loads, or spikes in media-codec crashes. In practice, telemetry from the media server process, image decoder components, and messaging app sandboxes provides early warning.
Targeting and scope Samsung Galaxy focus, region-bounded operations
Observed targeting spans Galaxy S22, S23, and S24 families, plus select foldables, with activity clustered in the Middle East. Because exploitation predates wide patch availability, unupdated devices remain attractive even after disclosure. Meanwhile, infrastructure overlaps hint at commercial-grade spyware development; however, public attribution remains uncertain. Therefore, prioritize patch coverage and MDM verification on any Galaxy fleet exposed to sensitive communications.
Capabilities and artifacts comprehensive Android surveillance
LandFall records microphone audio and calls, tracks location, and collects photos, SMS, contacts, files, and browsing history. It fingerprints devices by IMEI/IMSI, SIM details, and installed apps to guide tasking. On disk, responders may find staged modules under user-writable paths; in memory, look for injected code within media and messaging processes. Network activity often presents as short periodic beacons or SOCKS-style tunnels following the first successful image parse.
Detection and response: mobile IR you can run now
• Hunt for media-server crashes, anomalous parsing events, or decoder exceptions near WhatsApp session times.
• Alert on SELinux policy changes, newly loaded policies, or processes requesting expanded capabilities post-message receipt.
• Monitor for unexpected microphone toggles, high-frequency location requests, and permission spikes tied to messaging processes.
• Isolate suspected devices, revoke tokens, force device password resets, rotate app secrets, and re-provision from known-good images.
• Forensically, preserve the original DNG, compute hashes, and analyze both the image and any appended archive segments; test with multiple tools to avoid parser blind spots.
Mitigation and hardening reduce blast radius now
Disable automatic media downloading in WhatsApp for high-risk users. Enforce rapid OS and security bulletin updates, including Samsung’s April and September fixes that hardened the image library. Through MDM, block execution of unknown modules, limit media MIME types, and tighten app permissions for camera and mic. Importantly, equip mobile threat defense agents to watch media-pipeline telemetry and flag suspicious decoders or codec loads. Finally, publish a short internal policy: unknown senders → no media opens; sensitive users → use out-of-band channels for attachments.
Why this matters now: zero-click pressure and shrinking detection windows
Zero-click delivery shortens defender reaction time. Because LandFall hides inside routine messages and leverages a parsing bug, the first clear signal may be data leaving the device. Therefore, the combination of prompt patching, media policy changes, and media-pipeline visibility becomes decisive. Looking ahead, expect payloads to pivot to new codecs and formats; keep detections behavior-focused, not string-bound.
FAQs
Q1. How do I surface image-pipeline exploitation without breaking chat apps?
A1. Monitor decoder crashes and anomalous codec loads; alert on SELinux policy writes; restrict media auto-download for high-risk roles; and roll out patches fleet-wide.
Q2. Which artifacts prove LandFall on a device?
A2. The original DNG with an appended archive, loader and policy-manipulator modules on disk, SELinux changes, and short-interval beacons after a WhatsApp image arrives.
Q3. What stops re-infection after wipe and restore?
A3. Update to bulletins that fix libimagecodec vulnerabilities, restore only from trusted backups, re-enroll in MDM, and avoid restoring from potentially tainted WhatsApp media caches.
Q4. Do non-Samsung Android devices face the same risk?
A4. The described zero-day targets Samsung’s library; however, similar image-format parsing bugs appear across platforms. Maintain current patches and watch for vendor advisories.
