CISA Alert: LANDFALL Spyware Hits Australian BYOD Devices

Understanding the Threat: CVE-2025-21042 and the LANDFALL Spyware

For Australian CISOs and IT Directors, the enterprise perimeter no longer ends at the firewall. It ends in the pockets of your C-suite. The recent CISA alert for CVE-2025-21042 has elevated a theoretical risk into an actively exploited reality, with profound implications for Australian businesses.  

This isn't a minor consumer-grade bug. This is a supply chain-style compromise of your most trusted, high-value assets: your executive team.

What is CVE-2025-21042?

Tracked as CVE-2025-21042, this is a critical (CVSS 8.8-9.8) out-of-bounds write vulnerability in a core image processing library (libimagecodec.quram.so) on a vast range of high-end Samsung Galaxy devices.

Its primary vector is a "zero-click" exploit. This is the apex predator of vulnerabilities. An attacker simply sends a specially crafted Digital Negative (DNG) image file via a messaging app like WhatsApp. The victim does not need to open the image, click a link, or interact in any way. The device's operating system processes the image preview, triggering the vulnerability and leading to remote code execution (RCE) with system-level privileges.  

The Payload: "LANDFALL" Commercial-Grade Spyware

The vulnerability is merely the delivery mechanism. The payload, dubbed "LANDFALL," is a sophisticated, modular, commercial-grade spyware framework engineered for one purpose: total surveillance.  

Research from Palo Alto Networks' Unit 42 confirms LANDFALL grants attackers complete control. Its capabilities include:  

  • Audio Surveillance: Recording all microphone audio and phone calls, silently capturing board meetings, legal discussions, and M&A strategy sessions.  

  • Data Exfiltration: Stealing all photos, contacts, SMS messages, and call logs.  

  • Location Tracking: Continuous, real-time monitoring of the victim's movements.  

  • Stealth and Persistence: LANDFALL is designed to evade detection and maintain access even after reboots, giving attackers a persistent foothold.  

This toolkit is not the work of common criminals; it's associated with Private-Sector Offensive Actors (PSOAs)—mercenary groups that sell these capabilities to the highest bidder for corporate and state-level espionage.  

Business Impact Analysis: The Australian BYOD Liability

This vulnerability was actively exploited for at least seven months (from July 2024 to February 2025) before Samsung's patch in April 2025. On November 10, 2025, CISA added it to the Known Exploited Vulnerabilities (KEV) catalog, mandating a fix by December 1 for federal agencies—a clear signal of its severity and active threat status.  

For Australian leaders, this presents a catastrophic governance failure.

Your Executive's Pocket: The New Attack Surface

In Australia, Samsung holds over 25% of the mobile market , with over 9 million users. Many of these are the exact flagship Galaxy S22, S23, S24, and Z Fold devices targeted by this exploit.  

In a corporate BYOD (Bring Your Own Device) environment, that personal phone is a trusted endpoint. It is used to check corporate email, access the VPN, join Teams/Zoom calls, and review sensitive documents. When compromised by LANDFALL, that device becomes a vector for a devastating corporate data breach. The ACSC has long warned that BYOD introduces new risks that require careful consideration and risk management, which this exploit directly targets.  

A Corporate Data Breach on a Personal Device

The compromise of an executive's phone is not a personal matter. The exfiltration of corporate data (e.g., strategic plans, financial forecasts, client data) from that device is a clear-cut "eligible data breach" under the Office of the Australian Information Commissioner's (OAIC) Notifiable Data Breaches (NDB) scheme.  

Your organisation is legally required to assess and report this breach. This introduces severe complications:

  • Legal Liability: How can you prove what data was not taken? The "employee records exemption" does not apply to the sensitive corporate data, client PII, or market-sensitive information discussed in a board meeting recorded by the spyware.  

  • Reputational Damage: A breach originating from your C-suite's devices signals a fundamental failure of security and governance.  

  • Detection Failure: The most critical question is: How would you even know?

Why Your MDM and EDR Are Blind to This Threat

This is the gap that PSOAs and LANDFALL exploit. Australian CISOs investing in robust security stacks are being failed by a critical blind spot.

  • Mobile Device Management (MDM): MDM and Unified Endpoint Management (UEM) solutions are governance tools, not security tools. They are designed to enforce policies, push patches, and wipe lost devices. On a BYOD device, their visibility is intentionally limited by employee privacy concerns. An MDM cannot inspect an image parsing library in real-time. It can only (slowly) report if the device is patched, which is useless against a zero-day exploit.  

  • Endpoint Detection & Response (EDR): Your EDR is on the corporate laptop, not the executive's personal phone.  

  • Network Monitoring: The exploit occurs on the device itself. The exfiltrated data is siphoned off over HTTPS on non-standard ports , blending in with thousands of other app connections from a mobile device, making it invisible to traditional network firewalls.  

For seven months, this vulnerability was a zero-day. Patching was not an option. Detection was the only possible defence. Your stack was blind, and you were exposed.  

How Red Teaming Exposes This Vulnerability

A standard penetration test will check if your external-facing servers are patched. It will not tell you if you could withstand a LANDFALL-style attack.  

This threat requires an adversary-centric approach. Our red team engagements move beyond simple vulnerability scanning to simulate the tactics, techniques, and procedures (TTPs) of the PSOAs behind this attack.  

Simulating the Mobile-Originated Breach Scenario

We answer the one question your board should be asking: "Can we detect and respond to a zero-click compromise of our executive team?"

A standard pen test checks a list of known vulnerabilities. Our mobile-originated red team engagement simulates the entire attack chain:  

  1. Targeted Reconnaissance: We identify high-value targets (e.g., C-suite, finance, legal) and their specific devices, just as a real attacker would.

  2. Adversary Emulation: We emulate the TTPs of an actor like the one deploying LANDFALL, focusing on social engineering vectors and client-side exploits targeting mobile devices.  

  3. Payload & Exfiltration: We use a non-destructive, benign payload to simulate a zero-click compromise. The objective is to gain access and begin exfiltrating data.  

  4. Testing Your Detection: The real test begins now. Is your SOC blind? Does your SIEM generate an alert? Does your incident response team know how to contain a threat originating from a personal BYOD device? Can they differentiate malicious traffic from the "noise" of 300 other apps?

Our Methodology: Assume You Are Breached

Your MDM will fail to stop a zero-day. Your network perimeter will be bypassed. The battle is one of detection and response.

Our methodology provides the only realistic assessment of your resilience to this modern, mobile-first threat. We provide a clear, actionable report that moves beyond "patch this" and delivers a strategic roadmap for building resilience.

This isn't just about CVE-2025-21042. It's about the next zero-click exploit, and the one after that. Do not wait for a journalist's phone call to find out your most sensitive conversations are being auctioned by mercenaries.

Secure your enterprise. Contact Lean Security today for a confidential Red Team briefing.

Contact us