A now-patched Samsung Galaxy flaw, tracked as CVE-2025-21042, was exploited as a zero-day to deploy LANDFALL spyware in targeted attacks in Middle East.Samsung patched a flaw exploited as a zero-day, tracked as CVE-2025-21042 (CVSS score of 8.8), to deploy LANDFALL spyware on Galaxy devices in Middle East attacks. “Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library.” reads the report published by Palo Alto Networks Unit 42. “The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.”The researchers confirmed that the vulnerability was actively exploited in the wild months before before Samsung patched it in April 2025. The LANDFALL campaign, tracked as CL-UNK-1054, hid malware in DNG image files sent via WhatsApp. LANDFALL is Android spyware targeting Samsung Galaxy devices in the Middle East. The malware enabled zero-click surveillance recording audio, tracking location, and stealing data. The campaign, active for months, shared tactics and infrastructure with Middle Eastern commercial spyware operations, suggesting links to private-sector offensive actors (aka PSOAs).Samsung disclosed in Sept 2025 that a separate image-library flaw, tracked as CVE-2025-21043, had been exploited in the wild, but researchers found no evidence that LANDFALL used that bug. LANDFALL campaigns delivered malicious DNG images, often via WhatsApp, and researchers traced samples back to at least July 23, 2024 (file names like IMG-20240723-WA0000.jpg). The spyware exploited a Samsung zero-day (CVE-2025-21042) in a likely zero-click chain to install itself without user interaction. Once active, The researchers uncovered the campaign while investigating a malformed DNG image files. “The malformed DNG image files we discovered have an embedded ZIP archive appended to the end of the file. Figure 1 shows one of these samples in a hex editor, indicating where the ZIP archive content begins near the end of the file.” continues the report. “Our analysis indicates these DNG files exploit CVE-2025-21042, a vulnerability in Samsung’s image-processing library libimagecodec.quram.so that Samsung patched in April 2025. The exploit extracts shared object library (.so) files from the embedded ZIP archive to run LANDFALL spyware. Figure 2 below shows a flowchart for this spyware.”The payload drops two components: b.so, the main backdoor (“Bridge Head”), and l.so, a SELinux policy manipulator granting root privileges and persistence.Once deployed, LANDFALL can record calls and audio, exfiltrate photos, messages, files, and system data, and monitor WhatsApp activity. It employs advanced evasion techniques like debugger and framework detection, SELinux modification, and certificate pinning for secure C2 over HTTPS.The spyware targets flagship models (Galaxy S22–S24, Fold4, Flip4) and communicates with six known C2 servers across Europe. The researchers link it to a broader wave of DNG-based zero-click exploits affecting both Android and iOS platforms, underscoring the growing threat of image-processing vulnerabilities in mobile espionage.The analysis of VirusTotal submission data revealed that potential targets of the campaign are in Iraq, Iran, Turkey, and Morocco.The researchers are not able to attribute the campaign to a specific threat actor, however, Unit 42 researchers found its C2 infrastructure and domain patterns similar to those of Stealth Falcon (aka FruityArmor), though no direct links have been confirmed as of October 2025.“From the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain in public repositories for an extended period before being fully understood.” concludes the report. “The analysis of the loader reveals evidence of commercial-grade activity. The LANDFALL spyware components suggest advanced capabilities for stealth, persistence and comprehensive data collection from modern Samsung devices.” Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, malware)