CISA has urged organizations to patch a vulnerability on Samsung Galaxy Android devices which has been used in active campaigns to deploy a harmful spyware, known as ‘LANDFALL.’
LANDFALL allows attackers to gather information from microphones, photos, browser history, and messages.
The vulnerability (CVE-2025-21042) was disclosed patched by Samsung in April 2025. But threat researchers at Palo Alto Networks revealed this week that the flaw has been actively exploited since at least July 2024.
Following this report, CISA has added the vulnerability to its KEV (Known Exploited Vulnerabilities) Catalog, which requires all federal agencies to remediate affected devices.
In their analysis, Unit 42 said they had observed samples of the spyware as far back as July 23, 2024. They also continued to see examples after the Samsung released a fix in April 2025, during the “patch gap” between Samsung releasing the patch and users installing it.
Palo Alto Networks warns that this is “not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.”
Similar vulnerabilities have been found to exist on other mobile operating systems, which have enabled sophisticated threat actors to deploy spyware against targeted individuals.
What is LANDFALL Spyware and how was it delivered?
LANDFALL is a comprehensive spy tool that is capable of harvesting sensitive data through microphones, as well as location, photos, contacts, SMS, files, and call logs.
Spyware typically is delivered without the users knowledge by exploiting highly sophisticated vulnerabilities present in mobile operating systems.
Landfall spyware is “Delivered through malformed DNG image files exploiting CVE-2025-21042—a critical zero-day vulnerability in Samsung’s image processing library,” said the Unit 42 researchers.
A DNG is a “Digital Negative” image, with a raw file format based on the TIFF format. These image files have an embedded ZIP archive contained within them, within which attackers can hide the spyware.
In their research, Unit 42 noted that several DNG artifacts had names like “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg”, suggesting that WhatsApp was how the malware was delivered to users.
This exploit is very similar to an attack method which impacted iOS and WhatsApp earlier this year, Unit 42’s report suggests.
“The disclosure of the Samsung and Apple vulnerabilities just a few weeks apart, highlights a broader pattern of DNG image processing vulnerabilities being leveraged in sophisticated mobile spyware attacks,” the researchers said.
Unit 42 also warns that the “campaign shares infrastructure and tradecraft patterns with commercial spyware operations in the Middle East, indicating possible links to private-sector offensive actors (PSOAs).”
Urgent Response Required, Says CISA
CISA has ordered US federal agencies to deploy a patch to fix this vulnerability within three weeks. This applies to the departments of Energy, Treasury, Homeland Security, and Health and Human Services.
Although CISA’s alert only applies to federal civilian Executive Branch agencies (FCEBs), CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation.”
Devices at risk include Samsung’s Galaxy S22, S23, and S24 devices, as well as the Z Fold 4 and the Z Flip 4.
Spyware attacks are often highly targeted. They are unlikely to have a wide impact on the hundreds of millions of people who use these devices.
But as Google says, the use of this spyware has a “chilling effect” on targets, who commonly include journalists and those speaking out about human rights abuses.
