Redazione RHC : 9 November 2025 09:19
Researchers at Palo Alto Networks Unit 42 have discovered a new, previously unknown family of Android spyware called LANDFALL . To spread it, malicious actors exploited a zero-day vulnerability (CVE-2025-21042) in the Android image processing library built into Samsung devices.
This flaw is not an isolated case, but rather part of a recurring pattern of similar vulnerabilities found in various mobile platforms. CVE-2025-21042 was actively exploited in real-world (in-the-wild) attacks before its fix, released by Samsung in April 2025 , following initial reports of compromise. However, neither the exploit nor the associated commercial spyware had previously been analyzed or publicly documented .
LANDFALL was distributed via malicious image files in DNG format , presumably sent via WhatsApp .
The technique used closely resembles an exploit chain that involved Apple and WhatsApp in August 2025 , as well as a second campaign observed in September, linked to the CVE-2025-21043 vulnerability. It is important to note that no previously unknown vulnerabilities in WhatsApp were identified during the investigation.
A crucial aspect is that the LANDFALL campaign was active as early as mid-2024 , months before the other vulnerabilities were publicly disclosed . The spyware exploited the Android/Samsung zero-day vulnerability CVE-2025-21042 well before it was patched.
The flaw was patched by April 2025 , eliminating the risk for existing Samsung users. Subsequently, in September, Samsung fixed an additional zero-day vulnerability (CVE-2025-21043) in the same image processing library, strengthening protection against this type of exploit .
Analysis of Unit 42 provides rare visibility into an advanced spyware operation that remained active and undetected for months , offering important insights into abuse that occurred before the vulnerabilities were patched.
Redazione
