LandFall spyware deployment via malicious WhatsApp .DNG images
Malware Activity
Summary
Hide ▲
Show ▼
The LandFall spyware operation used malicious .DNG images sent over WhatsApp to exploit Samsung’s CVE-2025-21042, execute code on targeted Galaxy phones, and keep access for spying. The activity affected select Samsung Galaxy users in the Middle East and supported persistence, microphone recording, and call recording. Samples seen as early as July 23, 2024 show the operation had been active before the patch. Affected models included Galaxy S22/S23/S24 and Z Fold 4/Z Flip 4.
Cases
Related Happenings
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
Campaign
First: 08.05.2026 18:08
Last: 08.05.2026 18:08
Sources 1
About this happening:
The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
CampaignAbout this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
NoVoice Android malware hidden in Google Play apps
Malware Activity
First: 01.04.2026 21:07
Last: 01.04.2026 21:07
Sources 1
About this happening:
**NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
NoVoice Android malware hidden in Google Play apps
Malware ActivityAbout this happening: **NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
Campaign
First: 12.03.2026 19:31
Last: 12.03.2026 19:31
Sources 1
About this happening:
A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
CampaignAbout this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
Coruna iOS mass exploitation wave
Exploitation Wave
First: 04.03.2026 15:28
Last: 04.03.2026 15:28
Sources 1
About this happening:
The **Coruna** exploit kit marks the **first observed mass exploitation against iOS devices**, shifting risk from highly targeted spyware to **broad deployment** against **iPhone...
Coruna iOS mass exploitation wave
Exploitation WaveAbout this happening: The **Coruna** exploit kit marks the **first observed mass exploitation against iOS devices**, shifting risk from highly targeted spyware to **broad deployment** against **iPhone...
Predator spyware targeting Teixeira Cândido's iPhone
Malware Activity
First: 18.02.2026 19:30
Last: 18.02.2026 19:30
Sources 1
About this happening:
**Predator spyware** successfully targeted **Teixeira Cândido's iPhone** in **May 2024**, giving an attacker the ability to gain **unrestricted access** to the device. The infecti...
Predator spyware targeting Teixeira Cândido's iPhone
Malware ActivityAbout this happening: **Predator spyware** successfully targeted **Teixeira Cândido's iPhone** in **May 2024**, giving an attacker the ability to gain **unrestricted access** to the device. The infecti...
Timeline
-
10.11.2025 22:00 1 articles · 6mo ago
CISA orders agencies to patch Samsung zero-day used by LandFall
Legal Policy Action UpdateCISA added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure Samsung devices against ongoing LandFall spyware attacks within three weeks, with a deadline of December 1. The guidance follows confirmation that the Samsung libimagecodec.quram.so flaw was exploited as a zero-day to deploy LandFall spyware on WhatsApp users.
Show sources
- CISA orders feds to patch Samsung zero-day used in spyware attacks — www.bleepingcomputer.com — 10.11.2025 22:00
-
07.11.2025 20:23 1 articles · 6mo ago
VirusTotal samples show LandFall WhatsApp delivery starting July 23, 2024
Detection Ioc UpdateMalicious .DNG files associated with LandFall were submitted to VirusTotal starting July 23, 2024, and the filenames indicated WhatsApp as the delivery channel, marking the earliest dated evidence in the campaign.
Show sources
- New LandFall spyware exploited Samsung zero-day via WhatsApp messages — www.bleepingcomputer.com — 07.11.2025 20:23
-
07.11.2025 20:23 1 articles · 6mo ago
Unit 42 details LandFall spyware and CVE-2025-21042 exploitation
Technical Analysis UpdatePalo Alto Networks Unit 42 described LandFall as spyware delivered through malicious WhatsApp images that exploited CVE-2025-21042 in Samsung’s Android image processing library to run code on select Galaxy devices, with activity active since at least July 2024 and targeting users in the Middle East. The analysis also linked the campaign to a malformed .DNG payload with appended .ZIP content, loader components such as b.so and l.so, device fingerprinting, persistence, and spying functions, while attribution to a known vendor or threat group remained unconfirmed.
Show sources
- New LandFall spyware exploited Samsung zero-day via WhatsApp messages — www.bleepingcomputer.com — 07.11.2025 20:23