A zero-day vulnerability in Samsung’s Android image processing library has been exploited to deploy a new spyware called 'LandFall.' This attack uses malicious images sent over WhatsApp to target specific Galaxy users, particularly in the Middle East. The vulnerability, identified as CVE-2025-21042, allows remote code execution, posing a significant security risk. Although the flaw was patched in April 2024, evidence indicates that LandFall operations have been active since at least July 2024. Researchers from Palo Alto Networks’ Unit 42 analyzed the spyware and found it likely functions as a commercial surveillance tool, utilizing a malformed .DNG image file to deliver its payload. The spyware consists of a loader that retrieves additional modules and a SELinux policy manipulator that elevates permissions on the device. It collects a wide range of data, including microphone and call recordings, location tracking, and access to photos and messaging history. Targeted devices include the Galaxy S22, S23, S24 series, and Z Flip 4 models. Attribution for the LandFall campaign remains uncertain. However, analysis of command-and-control servers linked to the operation indicates potential targets in Iraq, Iran, Turkey, and Morocco. Some of these servers show similarities to those used in past operations by the Stealth Falcon group, which is connected to the UAE. Despite these clues, there is no definitive link to any known threat groups. To mitigate risks, users are advised to apply security updates, disable automatic media downloads in messaging apps, and enable advanced security features on their devices.