Samsung Zero-Day Flaw Exploited by ‘Landfall’ Spyware
Cyberwarfare / Nation-State Attacks
,
Endpoint Security
,
Fraud Management & Cybercrime
Spyware Targets Samsung Galaxy Devices, Says Unit 42
Hackers used previously unknown commercial spyware to surveil the activities of Samsung Galaxy device owners in the Middle East, say security researchers who posit the threat actor has connections to the United Arab Emirates.
See Also: 5 Ways Exabeam Helps Eliminate Compromised Credential Blindspots
Researchers from Palo Alto Networks Unit 42 on Friday disclosed spyware they dub “Landfall,” writing that the manufacturer patched it in April. Tracked as CVE-2025-21042, the flaw let hackers embed malware into a DNG image file, possibly texted to the victim through WhatsApp.
It appears that device infections didn’t require user interaction after hackers sent the corrupted image – constituting what’s known as a zero-click attack.
Unit 42 doesn’t attribute the malware to any particular actor, but researchers did find similarities between Landfall’s command and control infrastructure and domain registration patterns and infrastructure associated with Stealth Falcon, a threat actor that is at least circumstantially associated with the UAE government.
Developers of the spyware might be Variston, a Barcelona-based vendor that reportedly shut down earlier this year. Unit 42 again wrote that it can’t be certain, but said analysis of spyware components suggest a link to Variston, which has supplied tooling to UAE clients.
Once a device has been infected, Landfall essentially becomes a surveillance hub. The spyware is capable of microphone recording, location tracking and exfiltrating personal data in addition to stealing photos, contacts and call logs.
Unit 42 said it probed the flaw after Apple in August patched a similar flaw for iOS devices. That flaw, tracked as CVE-2025-43300, also exploited mobile operation system processing of DNG images.
“We cannot confirm whether this chain was used to deliver an equivalent of Landfall to iOS, or whether it is the same threat actor behind the two. However, this parallel development in the iOS ecosystem, combined with the disclosure of the Samsung and Apple vulnerabilities just a few weeks apart, highlights a broader pattern of DNG image processing vulnerabilities being leveraged in sophisticated mobile spyware attacks,” researchers wrote.