'Landfall' Malware Targeted Samsung Galaxy Users

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.The tool let its operators secretly record conversations, track device locations, capture photos, collect contacts, and perform other surveillance on compromised devices.November 7, 2025A likely private vendor of offensive security tools quietly exploited a zero-day vulnerability in Samsung's Android image processing library to drop a commercial grade spyware tool on targeted Samsung Galaxy users in the Middle East.The malicious activity went on from at least mid-2024 to April 2025, when Samsung fixed the vulnerability after a researcher privately informed the company about the issue. Researchers at Palo Alto Network's Unit 42 team discovered the spyware tool when following up on public reports of exploits targeting iOS devices earlier this year.Researchers named the malware "Landfall" and described it in a report this week as a tool that lets its operators secretly record conversations, track device locations, capture photos, collect contacts and call logs, and perform other surveillance on compromised devices. The team observed attackers exploiting CVE-2025-21042, a critical flaw in Samsung's image processing library, to deliver the spyware through specially crafted Digital Negative (DNG) image files. Unit 42's analysis showed the attackers likely sent the weaponized image files via WhatsApp primarily to targets in Iraq, Iran, Turkey, and Morocco.The exploit chain, according to Unit 42, closely resembled similar attacks discovered on iOS around the same time, suggesting a broader pattern of coordinated exploitation targeting image-processing vulnerabilities across multiple mobile platforms.Related:SparkKitty Swipes Pics From iOS, Android Devices"From the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain in public repositories for an extended period before being fully understood," Unit 42 said in its report. "The analysis of the loader reveals evidence of commercial-grade activity. The Landfall spyware components suggest advanced capabilities for stealth, persistence and comprehensive data collection from modern Samsung devices."The activity that Unit 42 discovered matches similar campaigns in recent years where governments, intelligence agencies, and law enforcement have used sophisticated, commercially available mobile spyware tools to monitor civil rights activists, political opponents, think tanks, and journalists of interest. The more well-known purveyors of such tools include the NSO Group and its notorious Pegasus spyware, Cytox/Intellexa's Predator spyware and its broader Nova suite of malicious tools, and Gamma's FinFisher FinSpy tool. Last year, Google described such actors as accounting for nearly half of all zero-days in its products between 2014 and 2023. And just last month, a US federal court judge formally banned the NSO Group from reverse engineering WhatsApp for spyware delivery purposes.Related:Digital Forensics Firm Cellebrite to Acquire CorelliumThe path that led to Unit 42's discovery of Landfall began with its investigation of malicious activity related to CVE-2025-43300, a zero-day bug that affected the DNG image parsing component in Apple iOS. Soon after Apple's disclosure, WhatsApp reported a zero-day bug (CVE-2025-55177) in a device synchronization feature that attackers were chaining with CVE-2025-43300 to force compromised devices to process content from attacker-controlled URLs. In September, WhatsApp reported a similar vulnerability (CVE-2025-21043) to Samsung as well.Unit 42's pursuit of the malicious iOS activity led to its discovery of malformed DNG files containing Landfall that had been uploaded to VirusTotal in 2024 and 2025. The security vendor's analysis showed the spyware to be modular in design and optimized for monitoring high-end Samsung devices like Galaxy S22, S23, and S24 series, and stealing data from them. Based on command strings and execution paths that the researchers identified, they found Landfall equipped to do extensive device fingerprinting, data exfiltration, and downloading additional payloads.Related:'Crocodilus' Sharpens Its Teeth on Android UsersMost troubling was Landfall's detection evasion mechanisms. Unit 42 found the spyware to include multiple anti-analysis mechanisms to detect when it's being examined by security researchers, identify when it is being debugged, detect popular reverse-engineering frameworks, and grant itself elevated privileges.Unit 42 researchers identified at least six command and control (C2) servers that that attackers used to communicate with the malware. Landfall's C2 infrastructure had multiple overlaps with infrastructure associated with Stealth Falcon, another purveyor of targeted spyware campaign. "Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed," Unit 42 said.  However, it added, besides the infrastructure overlap, no other telemetry is so far available to suggest a direct link between Stealth Falcon and Landfall.Jai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.