The Reality of 'Commercial-Grade' Android Spyware Targeting Samsung Galaxy

US cybersecurity firm Palo Alto Networks (Unit 42) disclosed a new Android spyware family "LANDFALL" active from mid-2024 to early 2025. Attack method: exploited a zero-day vulnerability (CVE-2025-21042) in Samsung image processing library to hide malicious modules inside DNG (RAW) image files, then transmitted to target devices via WhatsApp and other messaging apps -- achieving remote code execution and extensive surveillance capabilities. Attack sophistication: zero-click possibility (device compromise without user interaction); SELinux policy manipulation (bypassing Android security architecture); modular C2 (Command and Control) infrastructure; advanced stealth and persistence techniques. Target region: estimated to be the Middle East. Timeline: first LANDFALL sample uploaded to VirusTotal in July 2024; activity continued through early 2025. Samsung response: patched CVE-2025-21042 (SVE-2024-1969) in April 2025 security patch; similar vulnerability CVE-2025-2... in the same library also patched. Commercial PSOA (Private Sector Offensive Actor) connection: the sophistication of the attack infrastructure, the zero-day exploit, and the targeted deployment against specific individuals in a specific region follows the pattern of commercial surveillance vendors (like NSO Group with Pegasus); Unit 42 assesses LANDFALL was likely developed by or for a commercial spyware operator selling surveillance services to government clients. The DNG file vector is particularly concerning because image files are routinely shared via messaging apps and are not typically viewed with suspicion by recipients.