A recently discovered Android spyware named Landfall has been delivered to Samsung device owners by exploiting a zero-day vulnerability. Palo Alto Networks reported on Friday that the spyware targeted a vulnerability identified as CVE-2025-21042, which impacts a Samsung image processing library and allows for remote code execution.
Zero Day Attack Details
The attackers exploited CVE-2025-21042 by sending targeted users a specially crafted DNG image file through WhatsApp. The attacks appear to have been aimed at various Samsung Galaxy phones, including the S22, S23, S24, Z Fold4, and Z Flip4 models. The threat actor likely delivered Landfall through a zero click exploit, meaning it required no interaction from the victim. Palo Alto Networks noted that they did not identify any unknown WhatsApp flaws being used.
Once a device is infected, Landfall allows the operator to spy on the victim. The spyware has extensive capabilities, including microphone recording, location tracking, and data exfiltration. Attackers can leverage it to steal sensitive information such as photos, contacts, and call logs.
Patching and Attribution
Samsung patched CVE-2025-21042 in April, though the company’s advisory did not mention in the wild exploitation. However, Palo Alto Networks stated that the Landfall attacks were carried out since at least July 2024, confirming that the flaw was exploited as a zero day before patches were released.
CVE-2025-21042 is similar to another recently patched zero day, CVE-2025-21043, which was also found in the same Samsung image library and allows for remote code execution. Palo Alto Networks noted the striking similarities between the exploits for both vulnerabilities, as both are connected to DNG image file processing delivered through mobile communication applications.
Palo Alto Networks was unable to attribute the Landfall malware to a known commercial spyware vendor. They are currently tracking the threat actor as CL UNK 1054. While some connections were noted to the UAE linked Stealth Falcon group, conclusive evidence is missing. Malware component naming conventions suggest the spyware could have been developed by surveillance companies such as NSO, Variston, or Cytrox. Malicious DNG file samples analyzed suggest that the Landfall attacks have been aimed at individuals in the Middle East and North Africa, including Iran, Iraq, Turkey, and Morocco.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
