Title: Commercial Spyware “Landfall” Found Targeting Samsung Phones for Nearly a Year

Introduction

In an alarming revelation, researchers from Unit 42, the cybersecurity division of Palo Alto Networks, have uncovered a sophisticated spyware named “Landfall” that has been compromising Samsung Galaxy smartphones for almost a year. This malware exploits a zero-day vulnerability in Samsung’s Android operating system, enabling it to harvest a significant volume of personal information from affected devices. Although the flaw has been addressed with a patch, the implications of this discovery raise serious concerns about mobile security, especially for users in specific regions.

Main Body

Landfall was first detected in July 2024, functioning through a vulnerability identified as CVE-2025-21042. Samsung managed to roll out a patch for this security flaw in April 2025, but the details surrounding the spyware’s operations have only come to light recently. According to the Unit 42 research team, the spyware’s target audience was likely confined to select individuals, particularly in the Middle East. It is still unclear who orchestrated these attacks, but the sophistication of the malware points to a well-funded and organized group.

What makes Landfall particularly insidious is its classification as a zero-click exploit. This type of malware can infiltrate a system without requiring any direct interaction from the user. Unit 42’s discovery of Landfall stemmed from investigating two similar vulnerabilities that were patched in Apple’s iOS and WhatsApp. Upon examining the available data, the team found several malicious image files on VirusTotal, leading them to this alarming spyware.

The Nature of the Attack

While traditional image files cannot execute code, Landfall takes advantage of specially crafted image files to carry out its malicious operations. In this case, the attackers utilized modified DNG files, a raw image format based on TIFF. Within these DNG files, they embedded ZIP archives containing harmful payloads. Before the patch was implemented in April 2025, Samsung smartphones were vulnerable due to flaws in their image processing libraries.

This is a zero-click threat; the user doesn’t need to actively open anything. Instead, when the device attempts to display the corrupted image, it inadvertently processes the malicious code, extracting and executing the hidden payload. This attack grants Landfall increased permissions by modifying the security settings of the device through SELinux, allowing it to access sensitive user data.

Delivery and Operation of the Spyware

Unit 42’s analysis indicates that the malicious files associated with Landfall were likely transmitted via popular messaging applications like WhatsApp. The code within Landfall explicitly referenced various Samsung Galaxy models, including the Galaxy S22, S23, S24, Z Flip 4, and Z Fold 4. Once installed, the spyware sends basic device information to a remote server, allowing the attackers to extract a broad range of data, such as user IDs, hardware information, installed applications, contacts, file storage, and even browsing history. Disturbingly, the spyware also has the capability to activate the device’s camera and microphone, enabling covert surveillance of its user.

Removing Landfall from an infected device can prove challenging. Due to its manipulation of SELinux policies, the spyware can embed itself deeply within the system, making detection and removal difficult. Moreover, the malware is equipped with multiple evasion tactics to avoid being uncovered. Analysis by Unit 42 suggests that Landfall was operational in various regions, including Iraq, Iran, Turkey, and Morocco, from 2024 into early 2025. The vulnerability it exploits may have existed in devices running Android versions 13 through 15.

Unit 42’s investigation revealed that certain naming conventions and server interactions exhibited similarities to industrial espionage tools developed by major cybersecurity firms such as NSO Group and Variston. However, they have yet to definitively associate Landfall with any specific entity. While the attack was notably targeted, the disclosure of its details poses a risk, as other malicious actors could potentially replicate the exploit.

Conclusion

The discovery of the Landfall spyware underlines the ongoing threats posed by sophisticated cyber attacks on mobile devices. As technology evolves, so do the methods employed by cybercriminals, highlighting the critical need for constant vigilance and robust security measures. Users of Samsung Galaxy smartphones, particularly in regions where the spyware was active, should remain cautious and ensure their devices are updated with the latest security patches. The incident serves as a reminder of the importance of cybersecurity in our increasingly interconnected world.

FAQ Section

Q1: What is Landfall spyware?
A1: Landfall is a sophisticated spyware that targets Samsung Galaxy smartphones, exploiting a zero-day vulnerability to steal personal data without user interaction.

Q2: How long was the Landfall spyware active?
A2: The spyware was active for nearly a year, from July 2024 until it was patched in April 2025.

Q3: What types of data can Landfall access?
A3: Landfall can access a wide range of data, including user IDs, hardware information, installed apps, contacts, files, browsing history, and can even activate the camera and microphone.

Q4: How does Landfall execute its attack?
A4: Landfall uses modified DNG image files to deliver malicious payloads. When a Samsung device processes these images, the spyware is executed without any user interaction.

Q5: How can users protect their devices from similar attacks?
A5: Users should keep their devices updated with the latest security patches, be cautious about downloading files from untrusted sources, and utilize security software to help detect potential threats.