New Landfall Spyware Discovered in Samsung Galaxy Phones
Security researchers have exposed a sophisticated hacking campaign that deployed a new type of spyware called 'Landfall' on Samsung Galaxy smartphones. The year-long operation primarily targeted victims across the Middle East, exploiting a critical security flaw in Android's operating system.
According to Unit 42, the threat intelligence team backed by cybersecurity firm Palo Alto Networks, attackers leveraged this vulnerability to compromise Galaxy devices without any user interaction. The research findings were detailed in a blog post published on November 7.
How the Landfall Spyware Operation Worked
The attack qualified as both a zero-day and zero-click exploit, meaning Samsung was unaware of the vulnerability at the time of attack, and victims didn't need to click anything for their devices to become infected. Researchers confirmed that simply sending a maliciously crafted image file through messaging applications could successfully deploy the spyware.
The spyware's source code specifically identified five Samsung Galaxy models as primary targets: the S22, S23, S24 series, along with certain Z models. However, investigators found the security flaw affected additional Galaxy devices, particularly those running Android versions 13 through 15.
Landfall Spyware Capabilities and Discovery Timeline
Similar to other commercial-grade surveillance tools like NSO Group's Pegasus, Landfall enables comprehensive device monitoring. The spyware can vacuum up sensitive on-device data including photos, contact lists, and call logs. It also possesses capabilities to activate the device's microphone for audio surveillance and track the user's precise location in real-time.
Security teams first detected Landfall spyware in July 2024. Samsung subsequently addressed the security flaw used to deploy the spyware with a patch released in April 2025. The vulnerability, identified as CVE-2025-21042, represents what researchers describe as part of a broader pattern of similar security issues affecting multiple mobile platforms.
Unit 42 researchers analyzed various spyware samples uploaded to VirusTotal, a malware scanning service, by individuals located in Morocco, Iran, Iraq, and Turkey between 2024 and early 2025. The investigation revealed that Landfall was delivered through malformed DNG image files that exploited the critical zero-day vulnerability in Samsung's image processing library.
Target Profile and Attribution Challenges
Evidence indicates Landfall was used for targeted intrusion activities within the Middle East, with researchers noting the spyware wasn't mass-distributed like conventional malware. Instead, attackers executed precision attacks against specific individuals, suggesting an espionage campaign rather than broad criminal activity.
Itay Cohen, a senior principal researcher at Unit 42, emphasized the targeted nature of these attacks in statements to TechCrunch. While researchers found connections to digital infrastructure similar to known spyware vendor Stealth Falcon, they couldn't definitively attribute the campaign to any specific government entity due to insufficient evidence.
The hacking campaign shares similarities with previous spyware attacks against journalists, activists, and dissidents in the United Arab Emirates dating back to 2012. The exact number of individuals targeted remains unclear, and the identity of the spyware vendor who developed Landfall continues to be unknown.
Broader Implications for Mobile Security
Researchers highlighted that Apple patched a similar zero-day vulnerability in August this year, though they couldn't confirm whether the same threat actor was responsible for both iOS and Android exploits. The parallel discovery of these vulnerabilities within weeks of each other underscores a concerning pattern of DNG image processing vulnerabilities being weaponized in sophisticated mobile spyware attacks.
In response to growing spyware threats, Apple announced in September that it implemented significant changes to its A19 and A19 Pro chips, operating system, and development tools. The new security feature, called Memory Integrity Enforcement (MIE), is designed to detect and patch security exploits in device memory, making it more challenging for threat actors to compromise iPhones using sophisticated spyware like Pegasus.
This development highlights the ongoing arms race between spyware developers and mobile security teams, with privacy-conscious users increasingly demanding stronger protection against state-level surveillance tools targeting mobile devices.
