Unit 42 Uncovers LANDFALL: New Android Spyware Exploiting Zero-Day in Samsung Image Processing Library

Unit 42 researchers have identified a new Android spyware family, LANDFALL, which exploits a zero-day vulnerability (CVE-2025-21042) in Samsung's image processing library. This vulnerability allows for arbitrary code execution through specially crafted image files, posing a significant threat to affected devices. The discovery of LANDFALL underscores a broader trend of vulnerabilities in mobile image processing libraries, highlighting a critical area of concern for mobile security. The exploitation of CVE-2025-21042 enables LANDFALL to perform various malicious activities, including data exfiltration and surveillance. The zero-day nature of this vulnerability means that Samsung devices were exposed without prior mitigation, emphasizing the need for proactive vulnerability management and rapid patch deployment. The recurrence of similar vulnerabilities across multiple platforms suggests that image processing libraries are an emerging attack vector that warrants increased attention from cybersecurity professionals. Organizations should review their mobile security strategies, ensuring that MDM solutions are configured to deploy patches promptly. User education on the risks associated with untrusted image files is also crucial. This incident serves as a reminder of the evolving threat landscape in mobile security, necessitating continuous vigilance and proactive defense measures.