A zero-day vulnerability in Samsung smartphones was recently brought to light, exploited by sophisticated spyware. Discovered by cybersecurity researchers, this malware used images sent on WhatsApp to infiltrate users’ devices. Here’s what you need to know about this now-fixed threat.
The 3 key points not to miss
- LANDFALL exploited a zero-day vulnerability in Samsung smartphones via WhatsApp images.
- The vulnerability allowed remote code execution, giving full access to the devices.
- Samsung fixed the vulnerability in April 2025, thus limiting the impact of the spyware.
The discovery of LANDFALL by Unit 42
Researchers from Palo Alto Networks’ Unit 42 identified a spyware campaign targeting Samsung users in the Middle East. This attack exploited a flaw in Samsung’s image processing library, allowing attackers full access to smartphones.
The vulnerability, listed under the code CVE-2025-21042, allowed this threat to spread discreetly for several months before being rectified by Samsung.
Attack mechanism via .DNG files
The LANDFALL attack began with the sending of a modified .DNG file via WhatsApp. This file contained a ZIP archive which, once opened, executed a script. The script then downloaded additional components onto the target device.
Among these components, a SELinux manipulator adjusted security settings to ensure prolonged spyware access to the system.
The capabilities of LANDFALL
LANDFALL is equipped with advanced features allowing it to collect detailed information about the device. It can record conversations, access photos, SMS, contacts, and browsing history. Additionally, it is capable of tracking users’ locations.
This spyware was also designed to avoid detection, making it particularly insidious. Its persistence in the system allows it to remain active even after reboots.
Origins and similarities with other spyware
Although LANDFALL’s infrastructure shows similarities with other operations such as those conducted by Stealth Falcon, researchers have not been able to establish a direct link with known spyware companies like NSO Group or Cytrox.
These observations indicate a possible origin from the United Arab Emirates, but the exact perpetrators of this campaign remain unidentified.
Context of Samsung and its security vulnerabilities
Samsung, one of the global leaders in the smartphone market, has faced several security challenges over the years. Zero-day vulnerabilities, like the one exploited by LANDFALL, pose a serious threat to users and highlight the importance of regular updates to protect devices.
To address these threats, Samsung is committed to constantly improving the security of its products and working closely with cybersecurity researchers to quickly identify and fix vulnerabilities.
