Samsung Zero-Click WhatsApp Spyware Hits Galaxy Devices - Zero-Day (CVE-2025-21042) Exploited by “LANDFALL” Campaign

Date: November 9, 2025

Overview: Security researchers have disclosed a widespread targeted spyware operation — dubbed “LANDFALL” — that exploited a zero-day vulnerability in a Samsung image-processing library to silently compromise Galaxy devices via specially crafted image files delivered over messaging apps such as WhatsApp. The vulnerability (tracked as CVE-2025-21042) enables remote code execution when a vulnerable device processes a malicious image file, allowing attackers to install a fully featured Android surveillance implant without any user interaction.

How the exploit works

Analysis by multiple digital-forensics teams shows the campaign weaponized an out-of-bounds write flaw in Samsung’s image-codec library. The exploit is delivered as a seemingly innocuous image (often a DNG file) attached or forwarded in messaging apps; when the vulnerable image-decoder processes the crafted file, it triggers memory corruption that attackers chain into an in-memory loader. That loader writes and executes a compact native payload that escalates into a full Android spyware implant. The delivery is effectively “zero-click” in many contexts — no explicit user action is required to trigger the vulnerability.

Scope, targets and timeline

Telemetry and sample dating indicate LANDFALL has been active for many months, with some forensic artefacts tracing back into 2024. The campaign primarily targets a range of Samsung Galaxy flagship and recent models, and victims have clustered in sensitive regions including parts of the Middle East, North Africa and Western Asia. Although Samsung released patches earlier in 2025 that remediate the underlying library flaw, many devices remain unpatched due to user delay, carrier update lag or end-of-life status — keeping a substantial population of devices vulnerable.

Capabilities of the LANDFALL spyware

Once implanted, the surveillance stack provides extensive remote-monitoring capabilities consistent with advanced Android spyware:

• Native persistence via staged loaders and attempts to disable telemetry and tamper logs.
• Real-time microphone capture and call recording where platform policies permit.
• Continuous geolocation tracking and exfiltration of location history.
• Collection and exfiltration of photos, videos, contacts, messages and call histories.
• Access to device storage and potential harvesting of on-device credentials or authentication tokens.

Analysts note the implant includes anti-analysis features and layered obfuscation to persist stealthily and complicate forensic recovery.

Why messaging apps and images are effective delivery vectors

Messaging applications that auto-process or generate thumbnails for images create an attractive attack surface for zero-click exploits. Attackers craft image files so that when the platform’s image decoder runs — often to create a preview or to index the media — exploitation occurs without the user explicitly opening the file. Messaging apps accepting large media attachments become convenient drop points for such payloads, enabling operators to deliver implants while minimizing obvious indicators to recipients.

Detection, indicators of compromise and forensic signs

Detecting LANDFALL infections can be challenging because the initial native loader operates primarily in memory and attempts to remove traces, but responders can hunt for several artefacts and behaviors:

• Receipt of unexpected or out-of-context DNG or oversized image files via messaging apps, especially from unknown or suspicious contacts.
• Sudden appearance of native libraries (.so) in app-specific directories or unusual files under messaging app data folders that do not match expected filenames.
• Abnormal process or thread activity shortly after message receipt (thumbnail generation, decoder processes spawning ancillary native threads).
• Unexplained network connections from devices to cloud hosting providers or ephemeral domains shortly after media receipt.
• Battery drain, microphone usage, or network usage spikes not correlated with user behavior.

Responders should collect device dumps, logcat outputs, network captures and messaging-app artefacts immediately when compromise is suspected.

Patch status and vendor response

Samsung issued security updates addressing the root-cause library flaws earlier in 2025. Devices that received those patches are protected against this exploitation vector. Messaging platforms have also issued advisories for related zero-click vectors and advise users to run the latest client releases. Nonetheless, many devices remain unpatched due to user inaction, delayed carrier rollouts or unsupported device lifecycles — a gap attackers continue to exploit.

Attribution and likely motive

Public reporting has refrained from definitive attribution. The campaign’s sophistication, long dwell time and targeted victimology — journalists, activists, government officials and other persons of interest — are consistent with operations conducted by well-resourced commercial surveillance vendors or state-aligned actors seeking covert intelligence. Observed patterns prioritize stealthy, long-term intelligence collection rather than mass financial theft, reinforcing espionage-style objectives.

Organizational and national-security impact

Zero-click spyware campaigns against mobile devices carry far-reaching privacy and national-security implications. Compromise of phones used by diplomats, defense personnel, journalists or executives can leak privileged communications, travel plans and sensitive documents. Within enterprise contexts, BYOD compromise can expose corporate credentials, session tokens, multi-factor authentication second factors and internal communications — potentially enabling broader intrusions.

Immediate mitigation and defensive steps

For individual users, especially high-risk individuals:

• Update Samsung devices to the latest available security patch immediately; if no update is available, consider upgrading to a supported device.
• Update messaging apps (WhatsApp and others) to the most recent releases and enable all recommended security settings.
• Disable automatic media downloads/previews in messaging apps and avoid accepting unsolicited large media files.
• Use a dedicated, tightly managed device for sensitive communications where feasible.

For organizations and enterprise defenders:

• Enforce managed-device policies with mandatory OS patch windows and centralized patch compliance monitoring.
• Configure MDM/EMM controls to disable auto-download/auto-preview of media and block installation of unapproved native libraries.
• Ingest mobile telemetry into SIEM/EDR and monitor for anomalous outbound connections, unusual process activity and sudden changes in device behaviour.
• Prepare an incident-response playbook for suspected mobile compromise that includes forensic capture, isolation and coordination with national cyber authorities.

Law-enforcement, disclosure and investigative next steps

Given the targeted nature and potential national-security impact, affected parties should consider sharing forensic artefacts with national cyber defences and trusted vendors for attribution and takedown. Messaging platforms and device makers should collaborate to harden image-decoding pipelines and reduce attack surface for media-parsing exploits, for example by sandboxing thumbnail generation and adding additional validation checks before auto-processing external media.

Why this matters

LANDFALL demonstrates an ongoing trend: attackers weaponize legitimate content types (images, documents) to achieve stealthy, zero-click compromise of mobile devices. A vendor-level image library flaw combined with ubiquitous messaging apps creates a potent espionage vector that is difficult to detect and can persist for long periods if unpatched. The incident underscores the importance of keeping devices and messaging clients updated, restricting automatic media handling, and treating mobile endpoints as critical attack surfaces.

Next steps for readers: Update devices and apps now, disable automatic media previews in messaging applications, and if you suspect compromise contact your security team or national cyber authority for guidance. Organisations should review mobile device management policies and consider emergency patch enforcement for at-risk employees.