Date: November 2025
Source: Unit 42
Target Platforms: Samsung Android Devices
Region Impacted: Middle East (Iraq, Iran, Turkey, Morocco)
Overview
Unit 42 researchers have uncovered a previously unknown Android spyware family, named LANDFALL, that exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library.
This flaw is part of a broader pattern of vulnerabilities discovered across multiple mobile platforms, highlighting the growing sophistication of spyware operators targeting high-value individuals and regions.
The vulnerability was actively exploited in the wild before being patched in April 2025, following reports of real-world attacks. While Samsung quickly addressed the issue, both the exploit and the commercial-grade spyware used alongside it had not been publicly analyzed until now.
How the Attack Worked
Researchers discovered that attackers embedded LANDFALL in malicious DNG image files—a format commonly used by cameras and photo apps. These images appeared to have been shared via WhatsApp, exploiting the image processing vulnerability upon opening.
This attack chain bears resemblance to:
-
An Apple–WhatsApp exploit that drew attention in August 2025.
-
A similar Android zero-day vulnerability (CVE-2025-21043) disclosed in September 2025.
Importantly, the research confirmed no unknown vulnerabilities were found in WhatsApp itself— the app merely served as a delivery channel for the exploit.
Current Risk and Patches
The immediate threat has been mitigated.
Samsung patched CVE-2025-21042 in April 2025, and subsequently addressed CVE-2025-21043 in September 2025 to strengthen the same image processing library.
This means no ongoing risk exists for updated Samsung users, though organizations should remain alert for similar attack vectors in future campaigns.
Indicators of Compromise (IoCs)
Vulnerabilities:
-
CVE-2025-21042
-
CVE-2025-21043
Malicious Domains:
brightvideodesigns[.]com
healthyeatingontherun[.]com
hotelsitereview[.]com
projectmanagerskills[.]com
IP Addresses:
192[.]36[.]57[.]56
194[.]76[.]224[.]127
45[.]155[.]250[.]158
46[.]246[.]28[.]75
91[.]132[.]92[.]35
92[.]243[.]65[.]240
File Hashes:
(full list available upon request or in the original Unit 42 report)
Targeted Regions:
-
Middle East (Iraq, Iran, Turkey, Morocco)
Recommended Actions
To ensure protection against LANDFALL and similar threats, users and organizations should:
-
Apply the latest Samsung security updates that include patches for CVE-2025-21042 and CVE-2025-21043.
-
Disable automatic media downloads in messaging applications like WhatsApp.
-
Avoid opening unsolicited or suspicious image files from unknown senders.
-
Educate employees and users about mobile spyware and image-based exploits.
-
Restrict unnecessary app permissions to uphold the principle of least privilege.
Help AG’s Response
At Help AG, our cybersecurity experts continue to monitor and respond to emerging threats using both proprietary intelligence and trusted external feeds.
For each newly identified threat, our team conducts threat-hunting exercises to assess potential impacts, understand the tactics, techniques, and procedures (TTPs) of attackers, and strengthen the defenses of our Managed Security Services (MSS) customers.
We proactively implement mitigations and early remediation measures to minimize exposure and ensure that customers remain protected against evolving cyber threats.
