Samsung's mobile device had a flaw that was used as a zero-day vulnerability to deploy the LANDFALL Android spyware.

A security problem in Samsung Galaxy Android devices, which was later fixed, was used in a zero-day attack to spread a sophisticated Android spyware called LANDFALL in targeted attacks in the Middle East. The flaw, known as CVE-2025-21042, has a CVSS score of 8.8, and it exists in the "libimagecodec.quram.so" component. This flaw allows attackers to run malicious code remotely, according to Palo Alto Networks Unit 42. Samsung fixed this issue in April 2025.

Unit 42 stated that the vulnerability was already being used in real-world attacks before the patch was released.
The group tracking this campaign, called CL-UNK-1054, is believed to target countries like Iraq, Iran, Turkey, and Morocco, based on data from VirusTotal.

This development follows Samsung's September 2025 disclosure about another flaw in the same library, CVE-2025-21043, which was also exploited as a zero-day.
However, there is no indication that this second flaw was used in the LANDFALL campaign. Samsung has not yet responded to requests for comment.

The attacks involved sending malicious images via WhatsApp, specifically DNG (Digital Negative) files.
Evidence shows that LANDFALL samples existed as early as July 23, 2024, with file names such as "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg" and "IMG-20240723-WA0000.jpg."

Itay Cohen, a senior principal researcher at Unit 42, told The Hacker News that he has not seen any major changes in the LANDFALL malware between July 2024 and February 2025, when the most recent sample was uploaded to VirusTotal.

Once installed, LANDFALL functions as a full-featured spy tool, collecting sensitive information such as microphone recordings, location data, photos, contact details, SMS messages, files, and call logs.

While Unit 42 mentioned that the exploit chain might have used a zero-click method to trigger the vulnerability in CVE-2025-21042 without needing user interaction, there is currently no evidence that this has occurred.
Also, there is no proof that an unknown security issue in WhatsApp is involved in supporting this theory.

The Android spyware is specifically crafted to target Samsung's Galaxy S22, S23, and S24 models, as well as the Z Fold 4 and Z Flip 4 devices. These are some of the top-tier products from the South Korean electronics company, with the exception of the most recent models.

It's also important to mention that at the same time, WhatsApp revealed a flaw in its messaging app for iOS and macOS (CVE-2025-55177, with a CVSS score of 5.4) that was linked with another flaw in Apple's iOS, iPadOS, and macOS (CVE-2025-43300, CVSS score of 8.8).
This combination of vulnerabilities was used in a well-planned campaign targeting less than 200 users. Apple and WhatsApp have since fixed these issues.

Unit 42's examination of the discovered DNG files shows that they include an embedded ZIP file attached at the end of the file.
The exploit was used to extract a shared object library from the archive to run the spyware. The archive also contains another shared object crafted to alter the device's SELinux policy, allowing LANDFALL to gain higher permissions and ensure it stays on the device.

The shared object that loads LANDFALL communicates with a command-and-control (C2) server over HTTPS to enter a beaconing loop and retrieve unspecified payloads for later execution.

"At this point, we can't share details about the next-stage payloads delivered from the C2 server," Cohen said.
"What we can say is that LANDFALL is a modular spyware framework -- the loader we studied was clearly designed to fetch and execute additional components from the C2 infrastructure. Those later stages likely expand its surveillance and persistence abilities, but they weren’t found in the samples available to us."

So far, there is no known information on who is behind the spyware or the campaign.
However, Unit 42 pointed out that the C2 infrastructure and domain registration patterns of LANDFALL align with those of Stealth Falcon (also known as FruityArmor). But as of October 2025, there have been no direct connections found between the two groups.

The findings suggest that the delivery of LANDFALL is likely part of a larger wave of DNG exploitation that also affected iPhone devices through the earlier exploit chains.
They also show how complex vulnerabilities can sit in public repositories for a long time, going unnoticed until they are thoroughly analyzed.

Cohen said, "We don't think this particular exploit is still being used because Samsung fixed it in April 2025. However, we saw related exploit chains targeting Samsung and iOS devices as recently as August and September, which shows similar attacks were still happening not too long ago. Some of the tools or systems that might be connected to LANDFALL are still online, which could mean the same group is still active or planning more attacks."