LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices

    Monday, November 10, 2025 In: Threat Research Print

    Date: 11/10/2025

    Severity: High

    Summary

    Researchers have discovered a new Android spyware family called LANDFALL. Attackers delivered it through a zero-day flaw (CVE-2025-21042) in Samsung’s image processing library. This issue is part of a broader pattern seen across multiple mobile platforms. The vulnerability was exploited in the wild before Samsung patched it in April 2025. LANDFALL spread via malicious DNG image files sent through WhatsApp. Its delivery method mirrors recent Apple and WhatsApp exploit chains, though no new WhatsApp flaws were found.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    brightvideodesigns.com

    healthyeatingontherun.com

    hotelsitereview.com

    projectmanagerskills.com

    IP Address : 

    45.155.250.158

    46.246.28.75

    91.132.92.35

    92.243.65.240

    192.36.57.56

    194.76.224.127

    Hash : 

    b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756

    c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e

    9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93

    d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0

    384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd

    b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d

    a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495

    29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483

    2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a

    b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18

    69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee

    211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261

    ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    domainname like "projectmanagerskills.com" or url like "projectmanagerskills.com" or siteurl like "projectmanagerskills.com" or domainname like "hotelsitereview.com" or url like "hotelsitereview.com" or siteurl like "hotelsitereview.com" or domainname like "brightvideodesigns.com" or url like "brightvideodesigns.com" or siteurl like "brightvideodesigns.com" or Domainname like "healthyeatingontherun.com" or url like "healthyeatingontherun.com" or siteurl like "healthyeatingontherun.com"

    Detection Query 2 :

    dstipaddress IN ("92.243.65.240","194.76.224.127","45.155.250.158","46.246.28.75","91.132.92.35","192.36.57.56") or srcipaddress IN ("92.243.65.240","194.76.224.127","45.155.250.158","46.246.28.75","91.132.92.35","192.36.57.56")

    Detection Query 3 : 

    sha256hash IN ("29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483","b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756","9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93","d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0","b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d","c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e","ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2","211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261","69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee","384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd","a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495","2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a","b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18")

    Reference: 

    https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/


    Tags

    MalwareSpywareVulnerabilityLandfallCVE-2025ExploitSamsungWhatsappAndroid MalwareDNG Image

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.