Zero-Click Malware Unveiled: How a Malicious DNG Image Compromised Samsung Galaxy Devices | Brav

Zero-Click Malware Unveiled: How a Malicious DNG Image Compromised Samsung Galaxy Devices

Table of Contents

TL;DR

  • A single malicious DNG image sent via WhatsApp can hijack a Samsung Galaxy S22–S24 without a tap.
  • The exploit abuses CVE-2025-2104 in Android’s libimagecodec.so, writing past the image buffer and triggering code execution.
  • Once inside, the malware modifies SELinux rules, installs a modular spyware kit called Landfall, and exfiltrates data silently.
  • Samsung released an April 25, 2025 firmware patch; the related image-codec issue followed in September 2025.
  • SOC teams should add media-pipeline monitoring, SELinux audit, and enforce the latest firmware across fleet devices.

Why this matters

When I was in the SOC last week, I saw a phone that had never opened an app, never connected to Wi-Fi, yet it was sending data to an unknown server. The culprit? A malicious DNG image that never even touched the screen. That was the start of the zero-click story that shook our entire threat-intel community. Zero-click exploits hijack devices without user interaction, so the defender’s job is to look at what happens inside the device, not just what the user does. The Landfall campaign is a textbook example of a low-volume, modular spyware that leaves a tiny footprint, yet can steal GPS, audio, messages, contacts and call logs from a handful of high-risk individuals in the Middle East. For any SOC that monitors only network traffic, the attack would have slipped through like a ghost.

Core concepts

The DNG vector

Digital Negative (DNG) is a RAW image format that stores raw sensor data. Because it is meant for post-processing, the Android image library (libimagecodec.so) reads the file and extracts image metadata, then decodes the pixel data into a bitmap. In CVE-2025-2104, the decoder incorrectly calculates the size of a user-supplied field, so a crafted DNG file can overflow a buffer and write arbitrary data to memory. When the library runs in the privileged image-processing service that is part of the Android framework, that write can trigger native code execution.

The WhatsApp delivery path

WhatsApp’s client downloads the file into a temporary directory, then hands it off to the system image decoder for rendering the thumbnail that the user sees. Because the decoding happens before any user action, the exploit can trigger without a tap. WhatsApp’s security documentation notes that all media files are forwarded to the platform’s media pipeline WhatsApp — Security (2024).

The malware’s anatomy

Once the vulnerable decoder runs the payload, the loader b.so unpacks a secondary module l.so. The two modules together implement Landfall, a modular spyware that:

  1. Modifies SELinux rules to gain SYSTEM privileges, raising its privileges above normal app limits.
  2. Persists in the /data/local/tmp directory, surviving reboots.
  3. Opens a tunnel to a command-and-control (C2) server to download additional components.

The modular design means that the initial foothold can stay dormant until the C2 server issues a new module, making detection harder.

Targeting precision

The campaign focused on recent flagship Samsung Galaxy S22–S24 and some foldable models. The attackers chose devices that run the latest Android 14 image, which includes the vulnerable libimagecodec.so. The geographic focus—Iraq, Iran, Turkey and Morocco—suggests an intelligence-grade operation rather than a mass campaign.

The patch story

Samsung issued an April 25, 2025 firmware patch that closed the CVE-2025-2104 hole, but the campaign ran for almost a year before the patch landed. The related image-codec vulnerability that triggered the bug in September 2025 was a separate issue that the OEM later fixed. Android’s own security bulletin documents how the OS vendor publishes patches for such native libraries Android — Security Bulletin (2026). The Android Open Source Project hosts the source for libimagecodec.so in the AOSP repository Android — AOSP Git (2026).

How to apply it

  1. Verify firmware – Run a quick inventory check for the patch level. Devices not on the April 25, 2025 firmware are high-risk.
  2. Apply the patch – Work with OEMs or OTA vendors to push the fix across the fleet as soon as possible.
  3. Enable media-pipeline monitoring – Add a lightweight agent that watches the system’s media service (com.android.image) for any file parsing events.
  4. Audit SELinux rules – Use the built-in selinuxmon tool or a third-party log monitor to spot any rule additions or modifications that occur outside of normal system updates.
  5. Detect embedded ZIP archives – Implement a sandboxed validator that checks any image file for unexpected ZIP containers before the decoder runs.
  6. Set up threat-hunt rules – Look for outbound traffic to non-whitelisted domains, low-volume exfiltration, and audio-capture APIs being called by unknown processes.
  7. Educate high-risk users – Even though the attack is zero-click, high-risk individuals should avoid opening unknown media in messaging apps and use end-to-end encrypted channels.
ParameterUse CaseLimitation
Media pipeline monitoringDetect malicious image parsing on deviceRequires deep integration into OS
SELinux rule auditSpot privilege-escalation attemptsFalse positives if rules change often
Firmware patch enforcementEnsure devices run latest security updatesPatch lag on devices in production

Quick checklist for SOC teams

  • Is every device running at least the April 2025 firmware?
  • Do we have an agent that can log media service events?
  • Are SELinux rule changes reported to the SOC in real time?
  • Have we defined a baseline for “normal” image processing patterns?

Pitfalls & edge cases

  1. False positives in media monitoring – The image decoder is invoked for legitimate thumbnails, so over-aggressive alerts can drown analysts.
  2. Patch delays – Some enterprise fleets lock firmware for long release cycles; patch lag gives attackers a window.
  3. SELinux rule noise – OEMs sometimes roll out legitimate rule tweaks during OTA updates; distinguishing malicious changes requires correlation with other indicators.
  4. Encrypted payloads – The Landfall modules can be encrypted; simple signature checks may not catch them unless the hash database is updated.
  5. Non-Android devices – If the organization uses other OEMs, the same vulnerability may not exist, but other image libraries may have similar flaws.

Open questions that still haunt us

  • How did attackers maintain the malicious DNG files in WhatsApp’s delivery system without detection?
  • What device model variations within the S22–S24 range were most affected?
  • Why did CVE-2025-2104 persist until September 2025 despite earlier patches?
  • How can defenders effectively monitor SELinux rule modifications in real time?
  • What mechanisms can detect malformed image files with embedded ZIP archives before they are processed?
  • Are there other image decoding libraries in Android that could be similarly vulnerable?
  • What indicators of compromise can identify Landfall infections early?

Quick FAQ

Q: Can I detect a zero-click DNG attack just by looking at Wi-Fi logs? A: No, the attack occurs entirely inside the device before any network traffic is sent.

Q: Does Android’s app sandbox prevent this kind of exploit? A: The vulnerability sits in a privileged system service that runs with higher privileges, so sandboxing alone won’t help.

Q: What is SELinux and why does the malware modify its rules? A: SELinux is a mandatory access control layer on Android. By tweaking its rules, malware can gain SYSTEM privileges and bypass app-level restrictions.

Q: Should I quarantine any device that shows image thumbnails? A: Not automatically. Look for anomalies in the image pipeline logs and any SELinux changes before taking action.

Q: Is there a known indicator that a device has the Landfall loader? A: A suspicious shared object named b.so or l.so in /data/local/tmp is a strong clue.

Q: Are other messaging apps at risk? A: The same vector exists if a messaging app uses the same Android image decoder. The key is the vulnerability, not the messaging app.

Q: How do I apply the Samsung patch? A: Work with your OTA vendor or OEM support to push the April 25, 2025 firmware to all Samsung Galaxy S22–S24 devices.

Conclusion

Zero-click malware is a silent threat that thrives in the unobserved corners of a device’s media pipeline. The Landfall campaign shows that even a single malicious DNG image can compromise high-risk users, steal data, and remain dormant for months. The lesson is clear: patch first, monitor media processing, audit SELinux, and keep a low-tolerance policy for unknown media on your fleet. SOC teams should integrate media-pipeline telemetry into their SIEM and automate rule-change alerts. Enterprises with high-risk personnel—journalists, diplomats, executives—should enforce the latest firmware and limit exposure to unverified media attachments. By following the checklist above, you can turn the zero-click attack surface from a silent killer into a visible, actionable threat.

References

  • Android — Security Bulletin
  • WhatsApp — Security
  • Samsung — Support
  • Android — AOSP Git
  • Unit 42 — Homepage
Last updated: March 26, 2026

Recommended Articles

Master AI Image Generation in Minutes with a 4-Layer Framework | Brav

Master AI Image Generation in Minutes with a 4-Layer Framework

Learn how to create cinematic AI images and videos in minutes using the 4-layer framework with Nano Banana Pro and Kling 01. A step-by-step guide for creators.
I Wiped My Hard Drive, But the Malware Stayed: Understanding Firmware Malware | Brav

I Wiped My Hard Drive, But the Malware Stayed: Understanding Firmware Malware

Firmware Malware: The Hidden Threat That Survives OS Reinstall, evades AV, and bypasses Secure Boot. Learn how to defend your devices.
Unmasking the Google Botnet: How Your Clicks Are Tracked and What Browser Isolation Can Do | Brav

Unmasking the Google Botnet: How Your Clicks Are Tracked and What Browser Isolation Can Do

Discover how the Google Botnet tracks your clicks via cookies and how browser isolation stops it. Learn practical steps to protect your privacy.
Privacy Please: The One-Click Extension That Sends You to Tracker-Free Front Ends | Brav

Privacy Please: The One-Click Extension That Sends You to Tracker-Free Front Ends

Privacy Please is a lightweight extension that redirects to ad-free, tracker-free front ends for YouTube, Twitter, Reddit, and more. Protect your privacy today.
Zero-Click iPhone Attack Operation Triangulation: How I Decoded a Silent Threat | Brav

Zero-Click iPhone Attack Operation Triangulation: How I Decoded a Silent Threat

Learn how the zero-click Operation Triangulation iPhone attack works, how to detect and stop it, and the latest patches to protect your devices.
WebMCP Unveiled: Will it Reduce Token Costs 80% and End Guess-and-Click for AI Agents | Brav

WebMCP Unveiled: Will it Reduce Token Costs 80% and End Guess-and-Click for AI Agents

WebMCP lets AI agents talk directly to websites, slashing token costs and eliminating guess-and-click. Learn how it simplifies dev integration.