A recently discovered Android spyware has been delivered to Samsung device owners through the exploitation of a zero-day vulnerability, Palo Alto Networks reported on Friday.
The spyware, named Landfall by Palo Alto Networks, exploited a vulnerability identified as CVE-2025-21042, which impacts a Samsung image processing library and which can be exploited for remote code execution.
The attackers appear to have exploited CVE-2025-21042 by sending the targeted users a specially crafted DNG image through WhatsApp. The attacks seem to have been aimed at Samsung Galaxy phones and the threat actor may have delivered Landfall through a zero-click exploit.
The security firm noted that it has not identified any previously unknown WhatsApp flaws.
Landfall can target Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. Once it has infected a device, the malware enables its operator to spy on the victim. The spyware has microphone recording, location tracking, and data exfiltration capabilities, and the attacker can leverage it to steal photos, contacts, and call logs.
CVE-2025-21042 was patched by Samsung in April, but the tech giant’s advisory does not mention in-the-wild exploitation. Palo Alto said the Landfall attacks were carried out since at least July 2024 and CVE-2025-21042 had been exploited as a zero-day prior to Samsung releasing patches.
CVE-2025-21042 is similar to CVE-2025-21043, another exploited zero-day patched recently by Samsung in the same image library. Reported by Meta and WhatsApp, CVE-2025-21043 allows remote code execution and it was also likely exploited by a spyware vendor.
“While it was not exploited in the Landfall samples we discovered, the similarities between the exploit for Landfall (CVE-2025-21042) and this vulnerability (CVE-2025-21043) are striking. Both vulnerabilities were publicly disclosed around the same time and both are connected to DNG image file processing delivered through mobile communication applications,” Palo Alto Networks explained.
A few weeks prior to CVE-2025-21043’s disclosure, Apple patched CVE-2025-43300, a similar vulnerability that is believed to have been chained with a WhatsApp zero-day tracked as CVE-2025-55177 to deliver spyware to Apple customers.
Palo Alto Networks was unable to confirm that the CVE-2025-43300/CVE-2025-55177 exploit chain was used to deliver Landfall spyware to iOS users.
The security firm was also unable to attribute the Landfall malware to a known commercial spyware vendor and is currently tracking the threat actor behind the CVE-2025-21042 attacks as CL-UNK-1054.
Some connections have been found to the UAE-linked Stealth Falcon group, but Palo Alto has not found conclusive evidence tying Landfall to this threat actor. In addition, malware component naming conventions suggest that the spyware could have been developed by other surveillance companies such as NSO, Variston and Cytrox.
Malicious DNG file samples analyzed by Palo Alto Networks suggest that the Landfall attacks have been aimed at individuals in the Middle East and North Africa, including Iran, Iraq, Turkey and Morocco.
Related: Chrome Zero-Day Exploitation Linked to Hacking Team Spyware
Related: iOS 26 Deletes Spyware Evidence
Related: FreeType Zero-Day Found by Meta Exploited in Paragon Spyware Attacks
