Understanding LANDFALL Android malware: Threats and Protection Measures
LANDFALL Android malware arrived as a potent, image-based Android spyware threat that demands urgent attention. It exploited DNG image files disguised as WhatsApp photos to gain remote access without interaction. Researchers found zero-click remote code execution in Samsung image libraries, which allowed full surveillance. Attackers used the exploit to record microphones, intercept calls, track locations, and harvest photos and messages. Because it targeted Galaxy S22, S23, S24 and selected foldable models, millions of users faced risk. However, Samsung issued patches for CVE-2025-21042 and CVE-2025-21043 to close the gap. As a result, updating firmware and using vetted security tools reduces exposure.
This article explains the technical details, indicators of compromise, and practical steps to defend devices. It also highlights detection, mitigation, and recovery strategies for individuals and organizations. Read on to learn how to spot image-based exploits and secure Android endpoints against advanced spyware.
What is LANDFALL Android malware?
LANDFALL Android malware is a targeted Android spyware campaign. It uses crafted DNG image files to trigger remote code execution. Researchers tied it to exploits in Samsung image libraries. As a result, attackers could gain access without user interaction. The campaign surfaced in mid 2024 and targeted several Galaxy models.
Key characteristics and typical behaviors
- Zero click infection vector: specially crafted DNG images arrive as WhatsApp photos and execute code automatically. Therefore victims need not tap or download files.
- Vulnerable component: it exploits Samsung’s libimagecodec.quram.so library, notably CVE-2025-21042 and later CVE-2025-21043. Because of this, patched firmware blocks the exploit.
- Persistent spyware payloads: deployed components include a loader called Bridge Head and a main module often named b.so.
- Stealthy C2 communications: b.so talks to command servers over HTTPS on ephemeral non standard ports, which helps evade simple network filters.
- Broad surveillance capabilities: attackers can record microphones, intercept calls, collect location data, photos, contacts, SMS, call logs, and browsing history.
- Evasion and targeting: the malware detects debugging and analysis tools and appears linked to Middle Eastern threat actors. In addition, six malicious samples appeared on VirusTotal during the campaign.
Overall, LANDFALL Android malware combines image based infection with strong evasion and comprehensive data collection. Update devices and apply vendor patches to reduce risk.
Comparing LANDFALL Android malware with common Android threats
Below is a concise comparison that highlights how LANDFALL Android malware differs from other prevalent Android strains.
| Threat | Infection method | Payload type | Typical damage | Detection difficulty | Removal complexity | Notable targets or CVEs |
|---|---|---|---|---|---|---|
| LANDFALL Android malware | Crafted DNG images delivered via messaging apps, zero click | Targeted spyware loader and module (Bridge Head, b.so) | Full surveillance: mic recording, call interception, photos, SMS, location | High due to zero click and evasion techniques | High; stealthy persistence and non standard C2 channels | Targets Samsung Galaxy S22 S23 S24 Z Fold4 Z Flip4. See Unit 42 report here and Samsung advisory here and NVD CVE-2025-21042. |
| Joker | Malicious apps on app stores or sideloaded | Ad fraud and billing fraud modules | Revenue loss and privacy invasion | Medium; often hides in apps | Medium; removal requires uninstall and cleanup | Widespread via Play Store campaigns. See Malwarebytes here. |
| Cerberus | Phishing and trojanized apps | Banking trojan with overlay attacks | Financial theft and credential theft | High when obfuscated | High; may resist removal and hide as system app | Notable for overlay attacks in past campaigns. See ESET reports here. |
| Triada | Pre installed or dropped by other malware | Multi component backdoor | System compromise and persistent control | High when pre installed | Very high; may require factory reset | Known for deep system hooks on some devices. See security vendor reports here. |
| Anubis | Malicious apps and phishing SMS | Banking trojan and info stealer | Credential theft and fraud | Medium to high | Medium; depends on root access | Documented in threat reports and malware whitepapers. |
Related keywords and terms: DNG image files, CVE-2025-21042, Android spyware, libimagecodec.quram.so, zero-click exploit, C2 over HTTPS, b.so, Bridge Head.
Protection against LANDFALL Android malware
Keep firmware and apps up to date
- Install vendor updates promptly because patches block the exploited library. For example, Samsung released fixes for CVE-2025-21042 and CVE-2025-21043. See Samsung advisory: Samsung Security Advisory and the NVD entry: NVD CVE-2025-21042.
- Enable automatic security updates when possible to reduce exposure.
Limit attack surface
- Use only trusted app stores and official messaging apps. Avoid sideloading unknown APKs.
- Restrict app permissions. For instance, deny microphone, camera, and location access unless necessary.
Deploy security tools and network controls
- Run reputable mobile endpoint protection to detect malicious modules and abnormal behaviors. In addition, use DNS filtering and URL inspection at the network edge.
- Monitor outbound connections for unusual HTTPS traffic on ephemeral ports because LANDFALL uses non-standard C2 channels.
Operational best practices for organizations
- Apply threat intelligence feeds and signatures from vendors. Unit 42 published analysis useful for detection: Unit 42 Analysis.
- Enforce mobile device management policies and application allow lists to control installations.
- Regularly back up sensitive data and maintain incident response playbooks.
Detect and respond to compromises
- Look for indicators of compromise such as unexpected processes, battery drain, or unknown outbound connections.
- If you suspect an infection, isolate the device, collect logs, and perform a factory reset only after preserving forensic artifacts.
These steps reduce the chance of successful LANDFALL Android malware attacks. Stay vigilant and verify updates frequently.
Conclusion
LANDFALL Android malware demonstrates how image-based, zero-click spyware can compromise modern Android devices. It can record microphones, intercept calls, and steal private data. Because it exploited a vendor image library, timely device updates mattered. Therefore users and organizations must prioritize patches, limit app permissions, and deploy mobile endpoint protection.
In addition, monitoring network behavior helps detect stealthy C2 channels and unusual outbound traffic. Staying vigilant reduces risk and speeds incident response. For businesses, investing in AI-driven tools improves resilience. Velocity Plugins specializes in AI-driven WooCommerce plugins such as Velocity Chat. Velocity Chat helps businesses increase conversion rates and reduce support costs via intelligent, catalog-trained AI chatbots. Act now to reduce exposure and protect data. Trust proven security practices and smart automation to protect users and power growth.
Frequently Asked Questions (FAQs)
What is LANDFALL Android malware?
LANDFALL Android malware is a targeted, image-based spyware campaign. It abused crafted DNG images to trigger zero-click execution in Samsung image libraries. Researchers linked it to comprehensive surveillance capabilities, including microphone recording and data theft. It primarily targeted recent Galaxy devices during mid 2024 and 2025.
How can I detect if a device is infected?
Look for signs such as unexpected battery drain, unusual outbound network connections, and poor performance. Also monitor for unknown processes and sudden permission changes. Because LANDFALL uses stealthy C2 channels, check for HTTPS traffic on ephemeral ports and use mobile endpoint detection to flag anomalies.
What prevention steps should users take?
Install vendor firmware and security updates immediately. Use official app stores and avoid sideloading unknown APKs. Limit permissions for microphone, camera, and location. In addition, enable automatic updates and run reputable mobile antivirus. For organizations, enforce MDM policies and application allow lists.
How wide is LANDFALL’s impact and who was targeted?
LANDFALL focused on Samsung Galaxy S22, S23, and S24 families, plus some foldables. Therefore the impact concentrated on users of those devices in the Middle East. However, the underlying vector highlights wider risk to any device using vulnerable image libraries.
What steps remove LANDFALL if infection suspected?
Isolate the device from networks and preserve logs for forensic analysis. Run a full mobile endpoint scan with a trusted tool. If confirmed, perform a factory reset after backing up essential data. Finally, update firmware and change credentials to limit post compromise risk.
