LANDFALL New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices

Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks.

Key findings:

• LANDFALL is Android spyware specifically designed against Samsung Galaxy devices, used in targeted intrusion activities within the Middle East.
• It enabled comprehensive surveillance, including microphone recording, location tracking, and collection of photos, contacts, and call logs.
• The spyware is delivered through malformed DNG image files exploiting CVE-2025-21042 — a critical zero-day vulnerability.
• The exploit chain possibly involved zero-click delivery using maliciously crafted images, similar to recent exploit chains seen on iOS and Samsung Galaxy.
• The campaign shares infrastructure and tradecraft patterns with commercial spyware operations in the Middle East, indicating possible links to private-sector offensive actors (PSOAs).
• LANDFALL remained active and undetected for months.

For the complete article, read more at Palo Alto Networks.