New “Landfall” Spyware Targets Samsung Galaxy Devices via Zero‑Day Image Exploit

What happened

Security researchers at Palo Alto Networks’ Unit 42 uncovered a sophisticated Android spyware campaign named LANDFALL that exploited a zero-day vulnerability (CVE-2025-21042) in the image-processing library of Samsung Galaxy devices. The spyware was delivered via malformed Digital Negative (DNG) image files, likely distributed through messaging apps such as WhatsApp, and was capable of recording conversations, capturing photos, tracking location, and exfiltrating contacts, call logs, and other device data.

The campaign reportedly ran from at least mid-2024 until Samsung issued a patch in April 2025 (and another in September 2025 for a related flaw). 

Who is affected

The primary targets were Samsung Galaxy flagship devices, including the S22, S23, and S24 series, as well as the Z Fold4 / Z Flip4 models. Geographically, the victims are likely located in Middle East countries such as Iraq, Iran, Turkey, and Morocco. Although the vulnerability is now patched, any devices not updated remain at risk, and the nature of the targeted attack suggests organisations with executives or sensitive operations in these regions should be particularly alert.

Why CISOs should care

• This incident highlights how mobile-device vulnerabilities, particularly in flagship smartphones, can be exploited for high-value espionage rather than just mass malware. The attack chain used image files delivered through a trusted channel to compromise devices without obvious user interaction.
• Flagship devices (often part of executive fleets or C‑suite mobile deployments) were specifically targeted, meaning mobile security can no longer be treated as a second‑tier risk in enterprise operations.
• The malware shares trade craft and infrastructure characteristics with known commercial spyware vendors/PSOAs (private-sector offensive actors), meaning the attack isn’t opportunistic but precision-designed. 
• Even though the specific zero-day vulnerability is patched, the underlying vector (image-processing libraries, messaging app delivery) remains valid, and similar campaigns may follow. CISOs need to assume that mobile endpoints are a live threat surface, especially in high-risk geographies or for mission-critical personnel.

3 Practical Actions

1. Ensure full patching of mobile firmware and OS: Confirm that all corporate-issued Samsung devices (and other Android devices) have been updated to patch CVE-2025-21042 and the related image-codec flaw (CVE-2025-21043), and ensure messaging apps are current.
2. Enhance mobile threat detection and behaviour analytics: Deploy or enable mobile EDR/MDR monitoring that can detect unusual behaviours such as hidden microphone activation, anomalous network connections to known C2 domains, and suspicious image file handling. Include mobiles in threat‑hunt processes.
3. Segment and control access from mobile devices: Apply least‑privilege access controls for mobile endpoints, enforce strong mobile‑device management (MDM) policies, and treat mobile devices of executives or high‑risk roles as high‑value assets, including restricting sensitive data access and enforcing encryption and secure transmission of critical communications.