A just lately found Android adware has been delivered to Samsung gadget homeowners by way of the exploitation of a zero-day vulnerability, Palo Alto Networks reported on Friday.
The adware, named Landfall by Palo Alto Networks, exploited a vulnerability recognized as CVE-2025-21042, which impacts a Samsung picture processing library and which could be exploited for distant code execution.
The attackers seem to have exploited CVE-2025-21042 by sending the focused customers a specifically crafted DNG picture by way of WhatsApp. The assaults appear to have been geared toward Samsung Galaxy telephones and the menace actor might have delivered Landfall by way of a zero-click exploit.
The safety agency famous that it has not recognized any beforehand unknown WhatsApp flaws.
Landfall can goal Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 telephones. As soon as it has contaminated a tool, the malware allows its operator to spy on the sufferer. The adware has microphone recording, location monitoring, and information exfiltration capabilities, and the attacker can leverage it to steal pictures, contacts, and name logs.
CVE-2025-21042 was patched by Samsung in April, however the tech big’s advisory doesn’t point out in-the-wild exploitation. Palo Alto stated the Landfall assaults have been carried out since no less than July 2024 and CVE-2025-21042 had been exploited as a zero-day previous to Samsung releasing patches.
CVE-2025-21042 is much like CVE-2025-21043, one other exploited zero-day patched just lately by Samsung in the identical picture library. Reported by Meta and WhatsApp, CVE-2025-21043 permits distant code execution and it was additionally doubtless exploited by a adware vendor.
“Whereas it was not exploited within the Landfall samples we found, the similarities between the exploit for Landfall (CVE-2025-21042) and this vulnerability (CVE-2025-21043) are hanging. Each vulnerabilities have been publicly disclosed across the similar time and each are linked to DNG picture file processing delivered by way of cellular communication functions,” Palo Alto Networks defined. Commercial. Scroll to proceed studying.
Just a few weeks previous to CVE-2025-21043’s disclosure, Apple patched CVE-2025-43300, an analogous vulnerability that’s believed to have been chained with a WhatsApp zero-day tracked as CVE-2025-55177 to ship adware to Apple clients.
Palo Alto Networks was unable to substantiate that the CVE-2025-43300/CVE-2025-55177 exploit chain was used to ship Landfall adware to iOS customers.
The safety agency was additionally unable to attribute the Landfall malware to a recognized business adware vendor and is at present monitoring the menace actor behind the CVE-2025-21042 assaults as CL-UNK-1054.
Some connections have been discovered to the UAE-linked Stealth Falcon group, however Palo Alto has not discovered conclusive proof tying Landfall to this menace actor. As well as, malware part naming conventions counsel that the adware may have been developed by different surveillance firms comparable to NSO, Variston and Cytrox.
Malicious DNG file samples analyzed by Palo Alto Networks counsel that the Landfall assaults have been geared toward people within the Center East and North Africa, together with Iran, Iraq, Turkey and Morocco.
Associated: Chrome Zero-Day Exploitation Linked to Hacking Workforce Spy ware
Associated: iOS 26 Deletes Spy ware Proof
Associated: FreeType Zero-Day Discovered by Meta Exploited in Paragon Spy ware Assaults
