A newly identified spyware, dubbed LandFall, was deployed by exploiting a zero-day vulnerability in Samsung's Android image processing library. The flaw, tracked as CVE-2025-21042, is a critical out-of-bounds write issue that allows remote code execution. Attackers delivered the spyware by sending maliciously crafted .DNG image files through WhatsApp messages, with evidence suggesting the campaign targeted select Samsung users in the Middle East since at least July 2024.
The malicious files contained a loader component and a module designed to manipulate SELinux policies, enabling the spyware to elevate privileges and achieve persistence on the device. LandFall possesses extensive surveillance capabilities, including recording calls and microphone audio, tracking location, and accessing photos, messages, contacts, and browsing history. The campaign specifically targeted flagship Samsung models like the S22, S23, and S24 series, as well as Z Fold and Z Flip devices.
While the spyware's infrastructure shares some characteristics with known commercial surveillance vendors, researchers could not definitively attribute it to a specific threat actor. To defend against such threats, users are advised to promptly install security updates, disable automatic media downloads in messaging apps, and consider enabling advanced device protection modes. This incident highlights the ongoing risk of sophisticated mobile spyware delivered through popular communication platforms.
