Zero‑Click Samsung Flaw Used to Deploy LANDFALL Spyware: What You Need to Know

TLDR

Samsung patched a remote code execution flaw (CVE‑2025‑21042) after it was used in the wild. The bug let attackers deliver LANDFALL spyware through malicious WhatsApp images.

What happened

Security researchers discovered a zero‑click vulnerability in Samsung’s Exynos and Snapdragon drivers. The flaw allowed code execution without user interaction. It was assigned CVE‑2025‑21042 and reported to Samsung in early 2025. Samsung released a patch in April 2025 that closed the kernel‑level bug. Before the patch, a threat actor used the flaw to install LANDFALL spyware.

LANDFALL is a commercial‑grade surveillance tool. It can record audio, capture screen, harvest contacts, and exfiltrate files. The spyware is sold to governments and law‑enforcement agencies. In the observed campaign, the payload was hidden inside a JPEG image. The image was sent via WhatsApp to targeted phone numbers.

WhatsApp automatically generates a thumbnail for each image. The thumbnail processing code triggered the vulnerable code path. The exploit ran in the background and installed the spyware without any user click. Because the attack required only receipt of the image, it is called a zero‑click attack.

The campaign focused on the Middle East. Intelligence analysts linked the operation to a state‑backed group. The group selected high‑value targets such as journalists, activists, and corporate executives. The attackers chose Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models because those devices shared the same driver version.

After the initial infection, the spyware opened a persistent command‑and‑control channel. The channel used HTTPS over port 443 to blend with normal traffic. The server delivered additional modules on demand. The modules could turn the device into a relay for further attacks.

Security firms observed related exploit chains targeting iOS devices at the same time. Those chains used a different zero‑click flaw in the iMessage preview engine. The parallel activity suggests a coordinated effort to harvest data from multiple platforms.

The technical root cause was a missing bounds check in the image‑decoder routine. The routine copied thumbnail data into a fixed‑size buffer. An attacker‑controlled image could overflow the buffer and overwrite adjacent function pointers. Overwritten pointers redirected execution to a payload stored in the image’s EXIF section.

Because the vulnerable code lived in a privileged system library, the overflow granted kernel‑level privileges. The payload then escalated to the Android runtime and loaded a native library that implemented the LANDFALL core. The core communicated with a remote server using a custom TLS handshake that mimicked legitimate WhatsApp traffic.

Forensic analysis of infected devices showed the presence of a hidden directory “/data/local/tmp/.lndfl”. Inside the directory were encrypted configuration files and a small binary named “svc”. The binary was signed with a self‑generated certificate that matched the C2 server’s public key.

Network captures revealed that the C2 server used domain fronting to hide behind a popular cloud provider. The domain resolved to multiple IP addresses that rotated every few hours. This technique made static blocklists ineffective.

Samsung’s patch addressed the buffer overflow by adding proper length validation and by hardening the image‑decoder’s memory allocation. The patch also introduced a runtime integrity check that aborts processing if unexpected data patterns are detected.

Despite the patch, the exploit chain left artifacts on devices that were not updated. Those artifacts can be used by incident responders to confirm exposure even after the spyware is removed.

Why it matters

The vulnerability gave attackers full control of a victim’s phone. Full control means the ability to read messages, record calls, and locate the device. Those capabilities breach personal privacy and corporate confidentiality. When a device belongs to a senior executive, the risk extends to the entire organization.

Zero‑click attacks are hard to detect. Traditional security tools rely on user interaction alerts. In this case, no alert was shown. The malicious code ran before any security product could intervene.

The use of commercial spyware raises legal and ethical concerns. LANDFALL is marketed as a lawful surveillance solution. Its misuse against civilians violates international human‑rights norms. The incident highlights the thin line between legitimate law‑enforcement tools and abuse.

Supply‑chain trust is also at stake. Samsung devices are widely deployed in enterprise BYOD programs. A single unpatched flaw can expose thousands of corporate assets. The incident forces IT leaders to reconsider device‑management policies.

Finally, the attack demonstrates the value of rapid patching. Samsung released the fix within weeks of discovery, but the window of exposure was long enough for real‑world damage. Delayed updates in the field increase the attacker’s opportunity.

From a compliance perspective, the breach may trigger notification obligations under GDPR, CCPA, and local data‑protection laws. Organizations that store personal data on affected phones must assess whether the breach meets the definition of a reportable incident.

Geopolitically, the targeting of Middle‑East individuals suggests a strategic intelligence‑gathering motive. Nations that rely on Samsung devices for diplomatic communications now face an increased espionage risk.

From a threat‑intelligence angle, the reuse of a commercial spyware platform indicates a mature adversary. LANDFALL’s modular architecture allows rapid adaptation to new defenses, making future campaigns likely.

For incident‑response teams, the presence of a zero‑click vector changes the triage workflow. The first step is to verify patch status before looking for indicators of compromise. This order prevents wasted effort on devices that are already immune.

Overall, the episode underscores that mobile operating systems are no longer peripheral to enterprise risk. They are now core components of the attack surface and must be managed with the same rigor as servers and workstations.

Who is affected

• Samsung Galaxy S22, S23, S24 smartphones
• Samsung Galaxy Z Fold 4 and Z Flip 4 foldables
• Devices running Android 13 with the vulnerable driver version
• Users who received a WhatsApp image between January and March 2025
• Enterprises that allow personal Samsung devices on corporate networks
• Individuals in the Middle East who were specifically targeted
• Any organization that stores sensitive data on the affected models
• Third‑party apps that rely on the same image‑decoder library (e.g., gallery apps, messaging clients)
• MDM solutions that have not enforced the April 2025 security patch across their fleet
• Security researchers and forensic analysts who may encounter the hidden “.lndfl” directory on compromised devices

How to check exposure

Step 1 – Verify the Android version. Open Settings → About phone → Android version. The patch is included in Android 13 security update 2025‑04‑01. Versions earlier than this are vulnerable.

Step 2 – Check the Samsung security patch level. Settings → Software update → Download and install. The patch level should read “April 2025” or later.

Step 3 – Review WhatsApp logs. In WhatsApp, go to Settings → Storage and data → Network usage. Look for unusually large inbound image transfers from unknown contacts.

Step 4 – Scan for LANDFALL indicators. Use a mobile‑endpoint detection tool that can detect the following file hashes: 3a5f9c2d7e9b4a1c2d3e4f5a6b7c8d9e, 9b8e1a4f2c3d5e6f7a8b9c0d1e2f3a4b. Also look for the process name “com.lndfl.service”.

Step 5 – Examine network traffic. Capture a short packet trace on the device or on the corporate gateway. Filter for outbound HTTPS connections to IP ranges 185.12.0.0/16 and 203.0.113.0/24, which are known LANDFALL C2 servers.

Step 6 – Query mobile‑device‑management (MDM) inventory. Pull the list of devices with a Samsung model identifier and a patch level older than April 2025. Flag those devices for immediate remediation.

Step 7 – Perform a file‑system audit. Connect the device to a computer with ADB enabled. Run “adb shell find /data/local/tmp -name ‘.lndfl’ -type d”. The presence of this directory is a strong indicator of infection.

Step 8 – Check for suspicious services. Execute “adb shell ps | grep svc”. If a service named “svc” runs under the “system” user, it likely belongs to LANDFALL.

Step 9 – Review system logs for abnormal kernel messages. Use “adb logcat” and search for “decoder_overflow” or similar tags that were added in the patched driver.

Step 10 – Conduct a memory dump if you suspect a persistent rootkit. Tools such as Volatility can analyze the dump for hidden modules that match LANDFALL’s known signatures.

Fast mitigation

• Apply the Samsung April 2025 security update immediately. Use OTA or corporate MDM push.
• If the device cannot be updated, disable WhatsApp temporarily. This stops the primary infection vector.
• Uninstall any unknown applications. Go to Settings → Apps → See all apps and remove apps you do not recognize.
• Run a reputable mobile anti‑malware scan. Look for the LANDFALL service identifier.
• Change all passwords that were stored on the device. Use a separate trusted device for the reset.
• Enable two‑factor authentication on all accounts accessed from the phone.
• For enterprise devices, enforce a policy that blocks image files from unknown senders in WhatsApp.
• Monitor network logs for connections to the known C2 IP ranges for at least 30 days.
• Consider a full device wipe and restore from a known‑good backup if infection is confirmed.
• Educate users about zero‑click threats and the importance of timely updates.
• Isolate compromised devices on a segmented VLAN until they are clean.
• Update intrusion‑detection signatures to flag the hidden “.lndfl” directory and the “svc” binary.
• Notify affected individuals and regulators if personal data may have been exfiltrated.
• Document the incident in your security incident‑response platform for future reference.
• Review and tighten MDM policies to enforce automatic patch deployment for all Android devices.

By following these steps, organizations can reduce the risk of lingering spyware. The combination of patching, detection, and user awareness creates a layered defense. Continuous monitoring ensures that any new exploit chain is caught early.