Landfall Spyware Exploits Samsung Zero-Day Vulnerability

Cybersecurity researchers at Palo Alto Networks have uncovered a sophisticated Android spyware campaign targeting Samsung Galaxy devices through the exploitation of a previously unknown zero-day vulnerability. The malware, dubbed Landfall, demonstrates the continued evolution of zero-click surveillance attacks — malicious campaigns that require no user interaction to compromise a device.

Technical Details of the Exploit

The core vulnerability, CVE-2025-21042, resides in a Samsung image processing library and can be exploited for remote code execution (RCE). According to Palo Alto Networks, attackers delivered a malicious DNG image file through WhatsApp to trigger the flaw.

Unlike traditional phishing campaigns, these attacks appear to use a zero-click delivery mechanism, allowing the spyware to infect devices without requiring the victim to open or interact with the message. The exploitation specifically targeted Samsung Galaxy models including the S22, S23, S24, Z Fold4, and Z Flip4.

Once deployed, Landfall enables full surveillance of the victim’s device, offering the attackers capabilities such as:

• Microphone recording and ambient audio capture

• GPS-based location tracking

• Data exfiltration of photos, messages, and call logs

• Access to contacts and communication apps

Timeline and Connection to Other Exploits

Samsung patched CVE-2025-21042 in April 2025, though Palo Alto’s investigation revealed the bug was exploited as a zero-day as early as July 2024. The tech giant’s advisory did not initially indicate that the vulnerability had been exploited in the wild.

Interestingly, the same library was affected by another zero-day, CVE-2025-21043, which was reported by Meta and WhatsApp and is believed to have been exploited by a commercial spyware vendor. Palo Alto noted striking technical similarities between these two vulnerabilities — both involving DNG image processing and both weaponized through mobile messaging platforms.

Additionally, the Landfall campaign mirrors the Apple CVE-2025-43300/CVE-2025-55177 exploit chain, which leveraged WhatsApp vulnerabilities to deploy spyware to iOS users earlier in the year.

Attribution and Geographic Targeting

While Palo Alto Networks has not definitively attributed the Landfall operation to a known spyware vendor, it has designated the responsible actor as CL-UNK-1054.

Preliminary analysis indicates potential overlap with the UAE-linked Stealth Falcon group, although no conclusive ties have been established. Certain naming conventions in the malware suggest possible links to commercial spyware firms such as NSO Group, Variston, or Cytrox.

Malware samples analyzed by Palo Alto Networks reveal that Landfall campaigns have been regionally focused — targeting individuals in the Middle East and North Africa, including Iran, Iraq, Turkey, and Morocco.

Conclusion

The Landfall case underscores the growing threat posed by zero-day vulnerabilities in mobile ecosystems and the increasing use of spyware in geopolitical surveillance.

As smartphone security continues to evolve, attackers are shifting toward high-value exploits that compromise trusted communication platforms. Regular patching, network-level monitoring, and restricting unverified media sharing remain critical defenses against these advanced cyber espionage campaigns.