A recently patched security vulnerability in Samsung Galaxy Android devices was exploited as a zero-day to deliver a commercial-grade spyware known as LANDFALL in targeted attacks primarily in the Middle East. The flaw, identified as CVE-2025-21042, had a CVSS score of 8.8 and allowed remote attackers to execute arbitrary code. Samsung addressed this issue in April 2025 after reports of its exploitation surfaced.
According to cybersecurity firm Palo Alto Networks Unit 42, the attacks targeted users in Iraq, Iran, Turkey, and Morocco. The exploitation involved sending malicious images via WhatsApp, specifically in the DNG (Digital Negative) file format, with evidence of LANDFALL dating back to July 2024.
LANDFALL functions as a comprehensive surveillance tool, capable of collecting sensitive information such as microphone recordings, GPS location, photos, contacts, SMS messages, files, and call logs. The spyware targets several Samsung devices, including the Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4.
Unit 42 noted that the exploit may have utilized a zero-click method to trigger the vulnerability without requiring user interaction. However, there is currently no evidence suggesting that WhatsApp has any underlying security issues that contributed to this exploitation.
In a related development, Samsung disclosed another vulnerability in the same library (CVE-2025-21043) in September 2025, which also had a high CVSS score but has not been linked to the LANDFALL campaign. Both vulnerabilities highlight the ongoing risks associated with mobile security.
The spyware’s delivery mechanism involved a ZIP file embedded within the DNG files, which extracted a shared object library to execute the spyware. This loader communicates with a command-and-control (C2) server to receive additional payloads, although details about these subsequent components remain undisclosed.
While the specific threat actors behind LANDFALL are unknown, Unit 42 noted similarities between its infrastructure and that of the Stealth Falcon group. The findings underscore the sophistication of the exploit and the potential for similar campaigns to continue targeting mobile devices.
