Key Findings:

• A new commercial-grade spyware called "Landfall" has been targeting Samsung Galaxy phones in the Middle East since at least mid-2024.

• Landfall exploited a previously unknown, unpatched vulnerability (zero-day) in Samsung's Android image processing library, tracked as CVE-2025-21042.

• The spyware was delivered through malicious DNG image files sent via WhatsApp, with no user interaction required (zero-click).

• Landfall has extensive surveillance capabilities, including recording audio, tracking location, and stealing data from infected devices.

• The campaign shares tactics and infrastructure with known Middle Eastern commercial spyware operations, suggesting links to private-sector offensive actors (PSOAs).

• Potential targets were identified in Iran, Iraq, Morocco, and Turkey based on VirusTotal submission data.

• The researchers were unable to definitively attribute the campaign to a specific threat actor, but found similarities with the Stealth Falcon group.

Background

Palo Alto Networks' Unit 42 researchers discovered the previously unknown Android spyware family, dubbed "Landfall," which was exploiting a zero-day vulnerability in Samsung's image processing library to target Galaxy devices in the Middle East. The vulnerability, CVE-2025-21042, was patched by Samsung in April 2025 but had been actively exploited for months before the fix was released.

Delivery and Infection Vector

Landfall was delivered through malicious DNG image files sent via WhatsApp, with no user interaction required for the exploit to execute (zero-click). The DNG files contained an embedded ZIP archive that extracted shared object library (.so) files to run the Landfall spyware.

Spyware Capabilities

Once deployed, Landfall had extensive surveillance capabilities, including recording audio, tracking location, and stealing data such as photos, messages, files, and system information. The spyware also employed advanced evasion techniques like debugger and framework detection, SELinux modification, and certificate pinning for secure C2 communication over HTTPS.

Attribution and Similarities

The researchers were unable to definitively attribute the Landfall campaign to a specific threat actor, but found similarities in the C2 infrastructure and domain patterns with the Stealth Falcon group, which has suspected links to the United Arab Emirates government. However, the researchers stated that they did not observe direct overlaps between the mobile campaigns of Landfall and the endpoint-based activity from Stealth Falcon as of October 2025.

Ongoing Threat

The analysis of the Landfall spyware indicates a sophisticated, commercial-grade operation that was able to remain hidden for an extended period before being discovered. The researchers noted that the vulnerability exploited by Landfall is part of a broader pattern of similar issues found on multiple mobile platforms, underscoring the growing threat of image-processing vulnerabilities in mobile espionage.

Sources

• https://cyberscoop.com/landfall-spyware-samsung-phones-palo-alto-networks-unit-42/

• https://securityaffairs.com/184331/security/landfall-spyware-exploited-samsung-zero-day-cve-2025-21042-in-middle-east-attacks.html

• https://www.techbuzz.ai/articles/samsung-galaxy-phones-hit-by-year-long-landfall-spyware-attack

• https://www.pcmag.com/news/this-spyware-targeted-samsung-phones-using-malicious-images