Samsung Spyware Attack — Critical LandFall 0-Day Used WhatsApp Images

ByDavey Winder,

Senior Contributor.

It’s not been the best week for smartphone users, what with news of yet another dangerous iPhone attack, and warnings from Google about active Gmail scams. But Samsung users are the subject of the latest headlines as security researchers reveal details of a hack attack that exploited a critical zero-day vulnerability to install spyware on smartphones, using WhatsApp images as the in. Thankfully, the vulnerability has been patched. But here’s everything you need to know about LandFall.

Security researchers from Palo Alto Networks Unit 42 team have published an in-depth analysis of a zero-day vulnerability within the Samsung Android image processing library. CVE-2025-21042 is just part of a spyware family, the researchers said, which has been named LandFall. “This vulnerability was actively exploited in the wild before Samsung patched it in April 2025,” the report confirmed, with attacks observed in the wild. The commercial-grade spyware used with Landfall, alongside the exploit used, had not been publicly reported or analyzed. Until now.

The LandFall exploit was distributed by being embedded in malicious image files using the DNG format, and sent by way of WhatsApp messages, according to the report. However, Unit 42 pointed out that the “research did not identify any unknown vulnerabilities in WhatsApp.” I have approached Meta for a statement.