Spyware campaign targeting Samsung Galaxy devices via WhatsApp uncovered

Cybersecurity firm Unit 42 has discovered a spyware campaign on Samsung Galaxy devices exploiting a zero-day vulnerability to infiltrate phones through images sent via WhatsApp. 

Security researchers warn that the operation has been active since mid-2024, and it helps attackers deploy advanced Android malware capable of full device surveillance without user interaction.

The operation has been coined by the cybersecurity researchers as LANDFALL, detected in September after an investigation that began probing iOS exploit samples in mid-2025. 

LANDFALL malware strikes Android Samsung devices

According to Unit 42’s investigative report published on November 7, the Android-specific malware was present within the iOS samples hidden in Digital Negative (DNG) image files. 

Some Samsung Galaxy phone owners reported seeing WhatsApp-style names like “IMG-20240723-WA0000.jpg,” which were uploaded to VirusTotal from locations including Morocco, Iran, Iraq, and Turkey between July 2024 and early 2025.

LANDFALL uses a type of exploit called “CVE-2025-21042,” a flaw in Samsung’s image processing library libimagecodec.quram.so. CVE-2025-12725 is also an out-of-bounds write error in WebGPU, which is Google-made browser Chrome’s graphics processing component. 

The vulnerability was patched in April 2025 following reports of active exploitation, but not before it had malformed DNG files containing an appended ZIP archive on several devices. Unit 42 explained that it tricks the vulnerable library into extracting and executing shared object (.so) libraries that installed the spyware on devices. 

Unit 42’s report said the spyware activates microphones for recording, tracks users via GPS, and subtly steals information like photos, contacts, call logs, and messages. Samsung Galaxy models that were affected include the S22, S23, S24, and Z series, specifically those with Android versions 13,14 and 15. 

The zero-day flaw is also affecting DNG image parsing on Apple iOS, where WhatsApp devs discovered attackers were chaining the Apple vulnerability with the flaw to force devices to process content from malicious URLs.

The second part of LANDFALL, called b.so, connects to its command-and-control (C2) server using HTTPS over a temporary TCP port that is not standard. The malware can send ping signals to check if the server is up and running before starting encrypted traffic. This is explained in the technical appendix of the report.

Once the HTTPS connection is active, b.so transmits a POST request containing detailed information about the infected device and spyware instance, including the agent ID, device path, and user ID.

In September, WhatsApp reported a related vulnerability (CVE-2025-21043) to Samsung. The messaging company advised users that a malicious message could exploit flaws in the operating system to compromise devices and the data they contain. 

“Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system,” Meta said in a security update. “While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution.”

Last week, news publication The Peninsula reported that the campaign could be traced back to state-linked spyware on mobile devices in the Middle East. NSO Group’s Pegasus, Cytox/Intellexa’s Predator, and Gamma’s FinFisher FinSpy have long been associated with similar attacks. 

Google provides updates to counter zero-day security flaw

According to a previous Google report, these actors were responsible for nearly half of all zero-day vulnerabilities in its products between 2014 and 2023. Last month, a US federal court barred Israeli NSO Group from reverse engineering WhatsApp to deliver spyware.

“Part of what companies such as WhatsApp are ‘selling’ is informational privacy, and any unauthorised access is an interference with that sale,” US District Judge Phyllis Hamilton said in her ruling.

The technology giants released Chrome version 142 last week to counter five critical security vulnerabilities, three of which it said had “high-risk severity” ratings. The update was made available on desktop platforms and Android devices through patches launched via Google Play.

CVE-2025-12727 affects Chrome’s JavaScript engine V8, which is responsible for performance execution, while CVE-2025-12726 impacts the browser’s user interface manager Chrome Views. 

Cybersecurity professionals are now asking Samsung Galaxy users to immediately apply the April 2025 security update to patch CVE-2025-21042. 

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.