A newly identified Android spyware campaign targeted Samsung device users by exploiting a zero-day vulnerability, according to a report released by Palo Alto Networks.
The spyware, dubbed Landfall, abused a flaw tracked as CVE-2025-21042, which affects a Samsung image processing library and allows remote code execution. The vulnerability was exploited before Samsung released a patch.
Attackers reportedly delivered the spyware by sending victims a specially crafted DNG image via WhatsApp. The campaign appears to have focused on Samsung Galaxy devices, and researchers believe the spyware may have been deployed using a zero-click attack, requiring no interaction from the victim.
Palo Alto Networks stated that it did not identify any previously unknown vulnerabilities in WhatsApp itself.
Landfall is capable of infecting Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 devices. Once installed, the spyware enables extensive surveillance, including microphone recording, location tracking, and data exfiltration. Attackers can also steal photos, contacts, and call logs from compromised devices.
Although Samsung patched CVE-2025-21042 in April, its security advisory did not reference active exploitation. Palo Alto Networks reported that Landfall attacks have been occurring since at least July 2024, indicating the flaw was used as a zero-day before patches became available.
The vulnerability is closely related to CVE-2025-21043, another Samsung image library flaw recently patched after being reported by Meta and WhatsApp. That vulnerability also enables remote code execution and was likely exploited by a spyware vendor.
Palo Alto Networks noted strong similarities between the two vulnerabilities, particularly their use of DNG image processing and delivery through mobile messaging applications.
The firm also referenced Apple’s patching of CVE-2025-43300, a similar flaw believed to have been chained with a WhatsApp zero-day (CVE-2025-55177) to deliver spyware to iOS users. However, Palo Alto Networks could not confirm whether this exploit chain was used to deploy Landfall on Apple devices.
Researchers have not attributed Landfall to a known commercial spyware vendor and are tracking the operator as CL-UNK-1054. While some links were identified to the UAE-linked Stealth Falcon group, no conclusive attribution has been made. Malware component naming conventions suggest possible development ties to surveillance firms such as NSO, Variston, or Cytrox.
Analysis of malicious DNG files indicates that the campaign primarily targeted individuals in the Middle East and North Africa, including Iran, Iraq, Turkey, and Morocco.
