Analysis

Palo Alto Networks Unit 42 has uncovered "Landfall," a sophisticated commercial-grade spyware exploiting a zero-day vulnerability (CVE-2025-21042) in Samsung's Android software. This zero-click exploit, active throughout most of 2024 and early 2025, allowed attackers to gain extensive access to sensitive data and device functions on targeted Samsung Galaxy S22-S24 and foldable models. The campaign, focused on specific regions in the Middle East, highlights the evolving threat landscape of mobile espionage. The malware leveraged manipulated DNG image files to embed malicious payloads, exploiting flaws in Samsung's image processing component without user interaction. While Samsung issued a patch in April 2025 for Android versions 13-15, Landfall's ability to modify system-level configurations makes its removal challenging even post-patch. This indicates a persistent risk for affected devices and underscores the difficulty in fully remediating advanced threats. Unit 42's analysis suggests the spyware exhibits coding styles and infrastructure consistent with established commercial surveillance contractors, similar to NSO Group or Variston, rather than a one-off criminal toolset. This points to a well-resourced, professional development team behind the attacks. The incident reinforces the critical need for robust cybersecurity measures and continuous vigilance against state-sponsored or commercially developed advanced persistent threats (APTs) in the mobile sector.