Researchers at Palo Alto Networks Unit 42 have discovered a new, previously unknown family of Android spyware called LANDFALL . To spread it, malicious actors exploited a zero-day vulnerability (CVE-2025-21042) in the Android image processing library built into Samsung devices.
This flaw is not an isolated case, but rather part of a recurring pattern of similar vulnerabilities found in various mobile platforms. CVE-2025-21042 was actively exploited in real-world (in-the-wild) attacks before its fix, released by Samsung in April 2025 , following initial reports of compromise. However, neither the exploit nor the associated commercial spyware had previously been analyzed or publicly documented .
LANDFALL was distributed via malicious image files in DNG format , presumably sent via WhatsApp .
The technique used closely resembles an exploit chain that involved Apple and WhatsApp in August 2025 , as well as a second campaign observed in September, linked to the CVE-2025-21043 vulnerability. It is important to note that no previously unknown vulnerabilities in WhatsApp were identified during the investigation.
A crucial aspect is that the LANDFALL campaign was active as early as mid-2024 , months before the other vulnerabilities were publicly disclosed . The spyware exploited the Android/Samsung zero-day vulnerability CVE-2025-21042 well before it was patched.
The flaw was patched by April 2025 , eliminating the risk for existing Samsung users. Subsequently, in September, Samsung fixed an additional zero-day vulnerability (CVE-2025-21043) in the same image processing library, strengthening protection against this type of exploit .
Analysis of Unit 42 provides rare visibility into an advanced spyware operation that remained active and undetected for months , offering important insights into abuse that occurred before the vulnerabilities were patched.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
