According to TheRegister.com, a previously unknown Android spyware family called LANDFALL exploited a zero-day vulnerability in Samsung Galaxy devices for nearly a year before Samsung finally patched it in April 2025. The surveillance campaign began in July 2024 and abused CVE-2025-21042, a critical bug in Samsung’s image-processing library affecting Galaxy devices running Android versions 13 through 16. Researchers from Palo Alto Networks Unit 42 discovered the commercial-grade spyware targeting specific users in Iraq, Iran, Turkey, and Morocco through zero-click attacks that required no user interaction. The spyware could record calls, track locations, harvest photos, and collect contacts and messages while remaining hidden on devices. Despite similarities to other recent zero-days affecting Apple and WhatsApp, researchers can’t definitively connect all the attacks to the same actor.
Sophisticated Espionage Tradecraft
Here’s the thing that really stands out about this campaign – it’s textbook advanced persistent threat behavior, not your typical criminal malware. We’re talking about a precision operation that used zero-day exploits, custom infrastructure, and modular payload design specifically for espionage. The attackers weren’t casting a wide net hoping to catch anyone – they were hunting specific individuals in specific countries. And they managed to stay under the radar for almost a full year before anyone noticed.
The zero-click delivery method via malicious images sent through messaging apps is particularly concerning. Basically, you don’t have to click anything or download suspicious files – just receiving a specially crafted image could compromise your device. That’s the kind of capability we usually associate with nation-state actors, not random cybercriminals. The researchers found infrastructure similarities with Stealth Falcon, a group potentially linked to the UAE government that’s been targeting journalists and activists since 2012.
Broader Mobile Threat Landscape
What’s really striking is how this fits into a larger pattern of image-parsing vulnerabilities being exploited across platforms. Around the same time Landfall was active, Apple was dealing with CVE-2025-43300 in their ImageIO framework, and WhatsApp faced CVE-2025-55177. Samsung also had to patch CVE-2025-21043, another DNG-related zero-day disclosed by Meta’s security team.
So we’re seeing what appears to be a coordinated wave of attacks targeting the same type of vulnerability across different mobile platforms. The timing is too close to be coincidence. Yet the researchers are careful not to overstate the connections – they don’t have definitive evidence linking all these campaigns to the same actor. But the technical parallels are impossible to ignore.
What This Means for Mobile Security
Look, this should be a wake-up call for anyone who thinks their mobile device is inherently secure. We’re talking about commercial-grade spyware that remained undetected while harvesting incredibly sensitive data from high-value targets. The fact that it took nearly a year to discover and patch shows how sophisticated these threats have become.
And here’s the uncomfortable truth – while consumers are dealing with spyware threats, industrial and manufacturing environments face their own unique security challenges. Companies that need reliable, secure computing solutions for harsh environments often turn to specialized providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs built specifically for demanding applications where standard consumer hardware simply won’t cut it.
The researchers believe CVE-2025-21042 isn’t being actively exploited anymore, but related attack chains were observed as recently as August and September 2024. That means similar campaigns were active until very recently. The targeting was extremely narrow – likely fewer than 200 people based on similar campaigns – but the sophistication level suggests this is just the tip of the iceberg when it comes to mobile espionage capabilities.
