Android Zero-Day Exploited by LANDFALL Spyware Campaign
A sophisticated Android spyware campaign, identified as "LANDFALL," exploited a zero-day remote code execution vulnerability in a widely used image-processing library on major Android devices. Attackers delivered the spyware through malicious DNG image files, often sent via messaging apps, enabling a zero-click exploit chain that bypassed traditional antivirus defenses. Once installed, the spyware gained extensive access to device resources, including the microphone, location data, call logs, photos, and contacts, highlighting the increasing risk posed by advanced mobile threats targeting both personal and business data on smartphones.
Security researchers emphasize the critical need for organizations to prioritize timely patching of mobile endpoints, monitor for anomalous device behavior, and enforce robust mobile security policies, especially in BYOD and hybrid environments. The incident demonstrates how mobile devices have become primary targets for high-stakes espionage and underscores the importance of continuous threat monitoring and improved user security hygiene to mitigate the risk of compromise from sophisticated, zero-day-driven attacks.
Timeline
Nov 25, 2025
Zero-day RCE in Android image-processing library is disclosed
A newly disclosed zero-day remote code execution flaw was identified in an image-processing library used by major Android devices. According to the report, malicious image files could trigger compromise without user interaction and potentially grant system-level privileges.
Nov 24, 2025
Commercial-grade mobile spyware LANDFALL is identified
Zimperium reported on a commercial-grade mobile spyware threat it calls LANDFALL, highlighting it as evidence of increasingly sophisticated mobile-targeted surveillance activity. The reference does not provide a specific discovery date beyond the publication timing.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
LANDFALL Android Spyware Campaign Targeting Samsung Devices via Zero-Day Exploit
Security researchers uncovered a sophisticated Android spyware campaign, dubbed **LANDFALL**, which specifically targeted Samsung Galaxy devices using a previously unknown zero-day vulnerability (`CVE-2025-21042`) in the image processing library. Attackers delivered the spyware through malicious DNG image files, likely sent via WhatsApp, enabling comprehensive surveillance capabilities such as microphone recording, location tracking, call and message exfiltration, and more. The campaign, believed to have operated primarily in the Middle East, was characterized by its precision targeting and use of advanced tradecraft, including zero-click exploitation and infrastructure patterns reminiscent of commercial spyware vendors. Samsung patched the vulnerability in April 2025, mitigating ongoing risk for current users. The LANDFALL operation was not a mass malware campaign but a targeted espionage effort, with researchers noting similarities to other commercial-grade spyware activities in the region. The vendor and government sponsor behind LANDFALL remain unidentified, and the full scope of affected individuals is unclear. The campaign's infrastructure and domain registration patterns suggest possible links to known threat actors, but attribution remains unconfirmed. Researchers emphasize that the operation predates other high-profile exploit chains involving similar vulnerabilities, highlighting the evolving threat landscape for mobile device users, especially those in sensitive regions or roles.
1 months ago
Surge in Zero-Click and Zero-Day Exploits Targeting Mobile Devices
A significant escalation in zero-click and zero-day exploitation techniques was observed throughout 2025, with attackers increasingly targeting mobile platforms such as iOS. Zero-click exploits, which require no user interaction, have become a preferred method for advanced persistent threats, nation-state actors, and commercial surveillance vendors. At least 14 major zero-click vulnerabilities were identified, affecting billions of devices and highlighting the growing attack surface beyond traditional user-driven threats. The average time from vulnerability disclosure to exploitation has dropped dramatically, putting pressure on organizations to accelerate patching cycles and improve detection capabilities. Recent reports confirm that multiple zero-day vulnerabilities in iOS were actively exploited in targeted spyware campaigns before patches became available. Attackers leveraged flaws in core mobile components, such as browser engines, to execute malicious code and compromise devices with minimal or no user involvement. These incidents underscore the persistent risks posed by mobile spyware and the critical need for rapid patching, enhanced mobile OS visibility, and continuous monitoring for anomalous device behavior as mobile endpoints remain high-value targets for cyber adversaries.
1 months ago
Active Spyware Campaigns Targeting Mobile Messaging Apps and Android Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a surge in sophisticated spyware campaigns targeting users of popular mobile messaging applications such as Signal, WhatsApp, and Telegram. Threat actors are leveraging commercial spyware and remote access trojans (RATs), employing tactics like social engineering, device-linking QR codes, zero-click exploits, and spoofed app versions to compromise high-value individuals, including government officials. Notable campaigns include the use of Android spyware like ProSpy, ToSpy, and ClayRat, as well as the exploitation of vulnerabilities in iOS, WhatsApp, and Samsung devices to deploy malware such as LANDFALL, with the goal of persistent access and data exfiltration. In a related development, researchers at Certo Software have identified a new Android RAT dubbed RadzaRat, which masquerades as a legitimate file manager app. RadzaRat provides attackers with full remote control over infected devices, supports large-scale file transfers, and features keylogging capabilities to steal sensitive information. Alarmingly, RadzaRat is currently undetectable by all major antivirus solutions and is openly available for download, increasing the risk of widespread abuse. These findings underscore the growing threat posed by advanced spyware and RATs targeting mobile platforms, often bypassing traditional security defenses and exploiting user trust in legitimate-looking applications.
1 months ago