LandFall spyware attacks targeted Samsung via WhatsApp.
SOPA Images/LightRocket via Getty Images
It’s not been the best week for smartphone users, what with news of yet another dangerous iPhone attack, and warnings from Google about active Gmail scams. But Samsung users are the subject of the latest headlines as security researchers reveal details of a hack attack that exploited a critical zero-day vulnerability to install spyware on smartphones, using WhatsApp images as the in. Thankfully, the vulnerability has been patched. But here’s everything you need to know about LandFall.
ForbesAll Smartphone Users Must Type This Code Now — Thank Me LaterBy Davey WinderHow LandFall Hackers Exploited CVE-2025-21042 To Install Spyware On Samsung Phones
Security researchers from Palo Alto Networks Unit 42 team have published an in-depth analysis of a zero-day vulnerability within the Samsung Android image processing library. CVE-2025-21042 is just part of a spyware family, the researchers said, which has been named LandFall. “This vulnerability was actively exploited in the wild before Samsung patched it in April 2025,” the report confirmed, with attacks observed in the wild. The commercial-grade spyware used with Landfall, alongside the exploit used, had not been publicly reported or analyzed. Until now.
The LandFall exploit was distributed by being embedded in malicious image files using the DNG format, and sent by way of WhatsApp messages, according to the report. However, Unit 42 pointed out that the “research did not identify any unknown vulnerabilities in WhatsApp.” I have approached Meta for a statement.
Known to have been operating since at least as far back as July 2024, LandFall was using the critical CVE-2025-21042 zero-day vulnerability for months before it was eventually patched in April 2025. I have approached Samsung for a statement, but it’s important to note that there is no risk to current users because of that update. In September, “Samsung also patched another zero-day vulnerability in the same image processing library,” Unit 42 said, “further protecting against this type of attack.”
ForbesRestart Google Chrome 142 Now, High-Rated Security Issues ConfirmedBy Davey Winder
Which is good to know, as LandFall is a full-on commercial-grade spyware attack that enabled what the report referred to as comprehensive surveillance. This included the use of the smartphone microphone, location-tracking functionality, contacts, call logs, and photos.
The bad news is that, as Unit 42 said, the use of malformed DNG files “highlights a significant, recurring attack vector: the targeting of vulnerabilities within DNG image processing libraries.” CVE-2025-21042 was not the first and is unlikely to be the last vulnerability that can be exploited by LandFall or similar spyware exploits. The advice, therefore, is to remain vigilant, whether a Samsung user or not, and keep your devices updated, and avoid opening random WhatsApp messages. You might also want to consider using Android’s advanced protection mode.