New Spyware Targets Samsung Devices via Zero-Day Vulnerability

SadaNews - A research team from "Palo Alto Networks" revealed a new family of spyware targeting the "Android" system named "LANDFALL," which has been used in hacking campaigns against "Samsung Galaxy" devices in the Middle East. The spyware relies on exploiting a zero-day vulnerability in Samsung's image processing library, part of a series of similar vulnerabilities identified over the past two years across various platforms.

According to researchers, the vulnerability was actively exploited before "Samsung" released a patch for it in April 2025, following initial reports indicating its practical use. At that time, no extensive technical analyses were published regarding the nature of the vulnerability or the associated malware.

Analysis from the company demonstrated that the "LANDFALL" spyware was embedded in malicious image files in "DNG" format, which seemingly were sent via WhatsApp. The sending mechanism is similar to "zero-click" attack chains previously identified against the "Apple" and "WhatsApp" platforms in August 2025, in addition to another potential exploit announced in September. The report confirmed that no new "WhatsApp" vulnerabilities are linked to this campaign so far.

The researchers noted that the "LANDFALL" campaign actually began in mid-2024, exploiting the vulnerability months before "Samsung" issued a fix. In September 2025, the company addressed a new vulnerability of the same type in the image library, enhancing protection against this type of attacks.

The results of the analysis from "Palo Alto Networks" indicated that the "LANDFALL" spyware was specifically designed to target "Samsung Galaxy" devices in targeted attacks in the Middle East, possessing extensive monitoring capabilities including audio recording, geographic tracking, and accessing photos, media, and contact data. The spyware operates by exploiting the "CVE-2025-21042" vulnerability in the image processing library through malicious "DNG" files believed to have been transmitted to users via popular communication channels.

Evidence suggests the potential use of a "zero-click targeting" method, similar to recent attacks targeting the "iOS" and "Samsung" platforms. Researchers also noted similarities in the campaign's infrastructure with previous commercial espionage operations in the region, which may strengthen the hypothesis of its connection to private entities. The spyware remained operational silently for several months before its discovery, as the company confirms that devices that received Samsung security updates since April 2025 are no longer vulnerable to this threat.