Landfall, a spyware that has been active for over a year, targets Samsung Galaxy smartphones by exploiting a hole defined as CVE-2025-21042 in the image processing of the phone’s photo library. This commercial-grade virus can record audio, read messages, and copy data without being detected, and it can be spread via seemingly legitimate photos posted on social networking platforms. Although Samsung fixed this issue earlier this year, the malware stayed operational for more than a year before the repair, targeting certain Galaxy models using targeted image parsing.
The Landfall spyware attack was uncovered by cybersecurity experts at Unit 42, the threat intelligence section of Palo Alto Networks. The spyware was camouflaged among picture files and exploited an unpatched vulnerability to obtain unauthorised control over the afflicted devices.
According to the research, the vulnerability is not an isolated incident; rather, it indicates a repeating pattern of comparable security concerns across several mobile platforms. CVE-2025-21042 was already being exploited before Samsung released a fix in April 2025 in response to reports of real-world attacks. However, the exploit’s specifics, as well as the commercial-grade spyware that accompanied it, have yet to be publicly revealed and investigated.
LANDFALL used malicious images in the DNG format, which were apparently sent over WhatsApp. This approach is comparable to a previously reported exploit chain including vulnerabilities in Apple and WhatsApp that got noticed in August 2025, as well as another exploit chain connected with the zero-day vulnerability CVE-2025-21043, which was discovered in September. However, the analysis did not reveal any previously unknown vulnerabilities inside WhatsApp. Significantly, the LANDFALL operation began in mid-2024, exploiting the zero-day vulnerability CVE-2025-21042 in Android/Samsung smartphones, which existed for months before the fix was implemented. This particular vulnerability has been patched since April 2025, removing any potential harm to current Samsung users. Furthermore, in September, Samsung patched another zero-day vulnerability, CVE-2025-21043, in the same image processing library, improving protections against targeted attacks.
Also Read: OnePlus 15 specs confirmed ahead of India launch: Price in India expected
What is Landfall?
LANDFALL is a spyware intended for Samsung Galaxy handsets and used in targeted penetration in the Middle East. It allows for significant surveillance capabilities, such as microphone recording, location tracking, and the collection of personal data such as images, contacts, and call records. The malware uses a serious zero-day vulnerability (CVE-2025-21042) in Samsung’s image processing library to distribute corrupted DNG image files. The sharing technique might enable zero-click exploitation via maliciously created photos, similar to attack chains previously detected on iOS and other Samsung Galaxy smartphones. This operation combines infrastructure and procedures with commercial spyware operations in the region, implying a link to private-sector offensive actors. LANDFALL has purportedly been operating unnoticed for some months.
Also Read: Spotify users can now share content through WhatsApp on their Android devices
LANDFALL’s b.so component has a variety of debug and status strings, suggesting that it will most likely require other components to function properly. The analysis reveals potential functionalities such as device fingerprinting (OS version, hardware ID, SIM ID, etc.), data exfiltration (access to calls, contacts, SMS, recordings), execution persistence (loading shared objects, executing DEX files, modifying SELinux), and evasion techniques (detecting debugging frameworks, manipulating namespaces). Devices targeted include the Galaxy S23, S24, Z Fold4, S22, and Z Flip4 series.
