LANDFALL Android Spyware Campaign Targeting Samsung Devices via Zero-Day Exploit
Security researchers uncovered a sophisticated Android spyware campaign, dubbed LANDFALL, which specifically targeted Samsung Galaxy devices using a previously unknown zero-day vulnerability (CVE-2025-21042) in the image processing library. Attackers delivered the spyware through malicious DNG image files, likely sent via WhatsApp, enabling comprehensive surveillance capabilities such as microphone recording, location tracking, call and message exfiltration, and more. The campaign, believed to have operated primarily in the Middle East, was characterized by its precision targeting and use of advanced tradecraft, including zero-click exploitation and infrastructure patterns reminiscent of commercial spyware vendors. Samsung patched the vulnerability in April 2025, mitigating ongoing risk for current users.
The LANDFALL operation was not a mass malware campaign but a targeted espionage effort, with researchers noting similarities to other commercial-grade spyware activities in the region. The vendor and government sponsor behind LANDFALL remain unidentified, and the full scope of affected individuals is unclear. The campaign's infrastructure and domain registration patterns suggest possible links to known threat actors, but attribution remains unconfirmed. Researchers emphasize that the operation predates other high-profile exploit chains involving similar vulnerabilities, highlighting the evolving threat landscape for mobile device users, especially those in sensitive regions or roles.
Timeline
Nov 10, 2025
CISA adds CVE-2025-21042 to KEV and orders federal patching
On November 10, 2025, CISA added Samsung flaw CVE-2025-21042 to its Known Exploited Vulnerabilities catalog after public reporting on its use in LANDFALL spyware attacks. CISA ordered U.S. federal civilian agencies to remediate the issue under BOD 22-01 and set a deadline of December 1, 2025.
Nov 7, 2025
Unit 42 publicly discloses LANDFALL spyware campaign
On November 7, 2025, Palo Alto Networks Unit 42 published research on the previously unknown LANDFALL Android spyware family and its exploit chain targeting Samsung Galaxy devices. The report described modular spyware capabilities, six C2 endpoints, likely victim geography including Iraq, Iran, Turkey, and Morocco, and possible WhatsApp-based zero-click delivery via malformed DNG files.
Oct 1, 2025
Unit 42 notes no direct Stealth Falcon overlap as of October 2025
By October 2025, Unit 42 had assessed that LANDFALL infrastructure and registration patterns resembled activity associated with Stealth Falcon and other Middle East commercial spyware ecosystems, but it had not found direct overlap sufficient for attribution. The operation remained unattributed despite these similarities.
Sep 1, 2025
Samsung patches related DNG flaw CVE-2025-21043
Samsung later fixed a second DNG parsing vulnerability in the same image-processing library, tracked as CVE-2025-21043 / SVE-2025-1702, in September 2025. Unit 42 said it found no evidence that LANDFALL used this second flaw.
Aug 1, 2025
Apple patches similar iOS DNG-processing flaw
Apple patched CVE-2025-43300, a similar DNG image-processing vulnerability in iOS, in August 2025. Multiple reports said this helped prompt further scrutiny of Samsung's image parsing issues and highlighted a broader pattern of DNG-based mobile exploitation.
Apr 1, 2025
Samsung patches CVE-2025-21042 in April security update
Samsung patched the exploited out-of-bounds write vulnerability CVE-2025-21042 in libimagecodec.quram.so in April 2025. The flaw had been used to deliver LANDFALL spyware through crafted DNG images, likely via WhatsApp and potentially in a zero-click chain.
Apr 1, 2025
Meta and WhatsApp report Samsung image-processing zero-day to Samsung
According to later reporting, Samsung received a report from Meta and the WhatsApp Security Teams about the libimagecodec.quram.so flaw CVE-2025-21042 after it had been exploited in the wild. This private disclosure preceded Samsung's fix.
Jul 1, 2024
LANDFALL activity appears in public repositories
Palo Alto Networks Unit 42 said it observed artifacts tied to the LANDFALL Android spyware operation in public repositories as early as July 2024, indicating the campaign was active by then. The activity targeted Samsung Galaxy devices, primarily in the Middle East, using malicious DNG image files.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
5 more from sources like security online info, bleeping computer, hackread, register security and arstechnica security
Related Stories
Android Zero-Day Exploited by LANDFALL Spyware Campaign
A sophisticated Android spyware campaign, identified as "LANDFALL," exploited a zero-day remote code execution vulnerability in a widely used image-processing library on major Android devices. Attackers delivered the spyware through malicious DNG image files, often sent via messaging apps, enabling a zero-click exploit chain that bypassed traditional antivirus defenses. Once installed, the spyware gained extensive access to device resources, including the microphone, location data, call logs, photos, and contacts, highlighting the increasing risk posed by advanced mobile threats targeting both personal and business data on smartphones. Security researchers emphasize the critical need for organizations to prioritize timely patching of mobile endpoints, monitor for anomalous device behavior, and enforce robust mobile security policies, especially in BYOD and hybrid environments. The incident demonstrates how mobile devices have become primary targets for high-stakes espionage and underscores the importance of continuous threat monitoring and improved user security hygiene to mitigate the risk of compromise from sophisticated, zero-day-driven attacks.
1 months ago
Active Spyware Campaigns Targeting Mobile Messaging Apps and Android Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a surge in sophisticated spyware campaigns targeting users of popular mobile messaging applications such as Signal, WhatsApp, and Telegram. Threat actors are leveraging commercial spyware and remote access trojans (RATs), employing tactics like social engineering, device-linking QR codes, zero-click exploits, and spoofed app versions to compromise high-value individuals, including government officials. Notable campaigns include the use of Android spyware like ProSpy, ToSpy, and ClayRat, as well as the exploitation of vulnerabilities in iOS, WhatsApp, and Samsung devices to deploy malware such as LANDFALL, with the goal of persistent access and data exfiltration. In a related development, researchers at Certo Software have identified a new Android RAT dubbed RadzaRat, which masquerades as a legitimate file manager app. RadzaRat provides attackers with full remote control over infected devices, supports large-scale file transfers, and features keylogging capabilities to steal sensitive information. Alarmingly, RadzaRat is currently undetectable by all major antivirus solutions and is openly available for download, increasing the risk of widespread abuse. These findings underscore the growing threat posed by advanced spyware and RATs targeting mobile platforms, often bypassing traditional security defenses and exploiting user trust in legitimate-looking applications.
1 months ago
Android Malware and Spyware Campaigns Using Trusted Platforms and Social Engineering Lures
Two separate Android-focused threat operations were reported, both relying on social engineering to drive manual installation of malicious apps. Bitdefender documented a campaign that abuses **Hugging Face** as a trusted hosting/CDN distribution point for an Android credential-stealing payload targeting popular financial and payment services. Victims are lured into installing a dropper app named **TrustBastion** via scareware-style ads; after installation it displays a fake Google Play “mandatory update” flow, then contacts infrastructure associated with `trustbastion[.]com` which redirects to a Hugging Face dataset repository hosting the final APK. The actor used **server-side polymorphism** to generate new payload variants roughly every 15 minutes, resulting in thousands of variants and rapid repository churn (reported as >6,000 commits over ~29 days); after takedown, the operation reportedly resurfaced under a new name (“**Premium Club**”) with refreshed branding. ESET separately identified an Android spyware campaign tracked as **GhostChat** that uses **romance-scam** tactics to target individuals in Pakistan. The malicious app is disguised as a chat/dating service but primarily functions as a surveillance tool; it presents “locked” female profiles with passcodes (hardcoded in the app) to create a sense of exclusivity, then routes victims into WhatsApp chats tied to Pakistani numbers likely controlled by the operator. The app was distributed via unofficial sources (not Google Play) and is blocked by Google Play Protect by default; ESET also linked the same actor to a broader surveillance effort including a **ClickFix** compromise chain and a WhatsApp device-linking attack, using websites impersonating Pakistani government organizations as lures.
1 months ago