A critical zero-day vulnerability in Samsung Galaxy devices, identified as CVE-2025-21042, was actively exploited to deploy sophisticated LANDFALL spyware. This commercial-grade malware targeted users in the Middle East, capable of extensive data harvesting and surveillance. The vulnerability, present in Samsung's image processing library, allowed attackers to execute arbitrary code, with attacks dating back to July 2024 before being patched by Samsung in April 2025.

Key Takeaways

• A zero-day vulnerability (CVE-2025-21042) in Samsung's image processing library was exploited.

• The LANDFALL spyware was delivered via malicious DNG image files, likely through WhatsApp.

• Targeted attacks occurred in the Middle East, with potential links to the Stealth Falcon group.

• The spyware could steal sensitive data, record audio, and track location.

• Samsung patched the vulnerability in April 2025.

LANDFALL Spyware: A Sophisticated Threat

Researchers from Palo Alto Networks Unit 42 discovered the LANDFALL spyware, which was designed to specifically target Samsung Galaxy devices, including popular models like the S22, S23, S24, Z Fold 4, and Z Flip 4. The spyware was delivered through specially crafted DNG (Digital Negative) image files, which contained an embedded ZIP archive. These files were reportedly sent via WhatsApp, exploiting a vulnerability in Samsung's component.

Once installed, LANDFALL acted as a comprehensive surveillance tool. Its capabilities included recording microphone audio, tracking location, stealing photos, contacts, SMS messages, and call logs, and accessing files on the device. The spyware also employed advanced techniques for persistence and evasion, making it difficult to detect.

Exploitation and Targets

The vulnerability, CVE-2025-21042, allowed for remote code execution. Evidence suggests that the exploit chain may have involved a zero-click approach, meaning users did not need to interact with the malicious file for their devices to be compromised. The campaign, tracked as CL-UNK-1054, was active from at least July 2024 until Samsung released a patch in April 2025. Analysis of VirusTotal data indicated that potential targets were located in Iraq, Iran, Turkey, and Morocco.

While direct attribution remains unconfirmed, the command-and-control (C2) infrastructure and domain registration patterns used by LANDFALL share similarities with those associated with Stealth Falcon, a group known for commercial spyware operations in the Middle East. This suggests a possible link to private-sector offensive actors (PSOAs).

Broader Implications and Mitigation

The discovery of LANDFALL highlights a concerning trend of sophisticated spyware leveraging zero-day vulnerabilities in mobile devices. Similar DNG image processing vulnerabilities have also been exploited on other platforms, including iOS. Samsung has since patched CVE-2025-21042 and a related vulnerability, CVE-2025-21043. Users are advised to keep their Samsung devices updated with the latest security patches to protect against such threats.

Sources

• Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware, The Hacker News.

• LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices, Unit 42.

• LANDFALL spyware exploited Samsung zero-day CVE-2025-21042 in Middle East attacks, Security Affairs.

• Samsung phones under threat from this dangerous new spyware cyberattack - here's how to stay safe, TechRadar.

• Landfall Spyware Targets Samsung Galaxy Phones Through Android Flaw; Millions At Risk, Mashable India.