New Spyware Exploits Samsung Zero-Day
A newly discovered spyware, dubbed ‘LandFall’, has been found exploiting a critical zero-day vulnerability in Samsung devices. According to researchers at Palo Alto Networks’ Unit 42, threat actors delivered the malware through malicious images sent via WhatsApp, targeting specific users in the Middle East since at least July 2024, despite a patch being available since April of this year.
How the LandFall Attack Works
The attack leverages a vulnerability tracked as CVE-2025-21042, a critical flaw in Samsung’s image processing library that allows for remote code execution. Attackers sent a specially crafted .DNG raw image file via WhatsApp. This file contained hidden components, including a loader to fetch additional modules and a tool to manipulate the device’s SELinux security policy. This allowed the spyware to gain elevated permissions and establish persistence on the infected device, effectively bypassing built-in protections.
Targets and Capabilities
The campaign targeted a wide range of flagship devices, including the Galaxy S22, S23, S24 series, and the Z Fold 4 and Z Flip 4 models. Data suggests potential victims were located in Iraq, Iran, Turkey, and Morocco. LandFall is a sophisticated surveillance tool capable of fingerprinting a device using hardware and SIM identifiers, executing arbitrary code, and evading detection. While it shares some infrastructure patterns with known threat actors, researchers could not definitively attribute it to a specific spyware vendor. Users are strongly advised to install all OS updates, disable automatic media downloads in messaging apps, and enable advanced security features to mitigate such threats.
Concise Cyber 