'Landfall' Malware Targeted Samsung Galaxy Users TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication Security'Ransomvibing' Infests Visual Studio Extension Market'Ransomvibing' Infests Visual Studio Extension MarketbyAlexander CulafiNov 7, 20254 Min ReadCybersecurity OperationsAI Security Agents Get Persona MakeoversAI Security Agents Get Persona MakeoversbyRobert Lemos, Contributing WriterNov 7, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryMobile SecurityEndpoint SecurityThreat IntelligenceVulnerabilities & ThreatsNews'Landfall' Malware Targeted Samsung Galaxy UsersThe tool let its operators secretly record conversations, track device locations, capture photos, collect contacts, and perform other surveillance on compromised devices.Jai Vijayan, Contributing WriterNovember 7, 20253 Min ReadSource: Tero Vesalainen via ShutterstockA likely private vendor of offensive security tools quietly exploited a zero-day vulnerability in Samsung's Android image processing library to drop a commercial grade spyware tool on targeted Samsung Galaxy users in the Middle East.The malicious activity went on from at least mid-2024 to April 2025, when Samsung fixed the vulnerability after a researcher privately informed the company about the issue. Researchers at Palo Alto Network's Unit 42 team discovered the spyware tool when following up on public reports of exploits targeting iOS devices earlier this year.The Landfall ThreatResearchers named the malware "Landfall" and described it in a report this week as a tool that lets its operators secretly record conversations, track device locations, capture photos, collect contacts and call logs, and perform other surveillance on compromised devices. The team observed attackers exploiting CVE-2025-21042, a critical flaw in Samsung's image processing library, to deliver the spyware through specially crafted Digital Negative (DNG) image files. Unit 42's analysis showed the attackers likely sent the weaponized image files via WhatsApp primarily to targets in Iraq, Iran, Turkey, and Morocco.The exploit chain, according to Unit 42, closely resembled similar attacks discovered on iOS around the same time, suggesting a broader pattern of coordinated exploitation targeting image-processing vulnerabilities across multiple mobile platforms.Related:SparkKitty Swipes Pics From iOS, Android Devices"From the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain in public repositories for an extended period before being fully understood," Unit 42 said in its report. "The analysis of the loader reveals evidence of commercial-grade activity. The Landfall spyware components suggest advanced capabilities for stealth, persistence and comprehensive data collection from modern Samsung devices."A Disconcerting PatternThe activity that Unit 42 discovered matches similar campaigns in recent years where governments, intelligence agencies, and law enforcement have used sophisticated, commercially available mobile spyware tools to monitor civil rights activists, political opponents, think tanks, and journalists of interest. The more well-known purveyors of such tools include the NSO Group and its notorious Pegasus spyware, Cytox/Intellexa's Predator spyware and its broader Nova suite of malicious tools, and Gamma's FinFisher FinSpy tool. Last year, Google described such actors as accounting for nearly half of all zero-days in its products between 2014 and 2023. And just last month, a US federal court judge formally banned the NSO Group from reverse engineering WhatsApp for spyware delivery purposes.Related:Digital Forensics Firm Cellebrite to Acquire CorelliumThe path that led to Unit 42's discovery of Landfall began with its investigation of malicious activity related to CVE-2025-43300, a zero-day bug that affected the DNG image parsing component in Apple iOS. Soon after Apple's disclosure, WhatsApp reported a zero-day bug (CVE-2025-55177) in a device synchronization feature that attackers were chaining with CVE-2025-43300 to force compromised devices to process content from attacker-controlled URLs. In September, WhatsApp reported a similar vulnerability (CVE-2025-21043) to Samsung as well.The Path to DiscoveryUnit 42's pursuit of the malicious iOS activity led to its discovery of malformed DNG files containing Landfall that had been uploaded to VirusTotal in 2024 and 2025. The security vendor's analysis showed the spyware to be modular in design and optimized for monitoring high-end Samsung devices like Galaxy S22, S23, and S24 series, and stealing data from them. Based on command strings and execution paths that the researchers identified, they found Landfall equipped to do extensive device fingerprinting, data exfiltration, and downloading additional payloads.Related:'Crocodilus' Sharpens Its Teeth on Android UsersMost troubling was Landfall's detection evasion mechanisms. Unit 42 found the spyware to include multiple anti-analysis mechanisms to detect when it's being examined by security researchers, identify when it is being debugged, detect popular reverse-engineering frameworks, and grant itself elevated privileges.Unit 42 researchers identified at least six command and control (C2) servers that that attackers used to communicate with the malware. Landfall's C2 infrastructure had multiple overlaps with infrastructure associated with Stealth Falcon, another purveyor of targeted spyware campaign. "Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed," Unit 42 said.  However, it added, besides the infrastructure overlap, no other telemetry is so far available to suggest a direct link between Stealth Falcon and Landfall.About the AuthorJai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai Vijayan, Contributing WriterMore InsightsIndustry Reports2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Access More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The Samsung Galaxy user base, primarily in the Middle East, faced a significant security risk due to the deployment of ‘Landfall,’ a sophisticated spyware tool. This activity, spanning from mid-2024 to April 2025, involved a private offensive security vendor exploiting a zero-day vulnerability within Samsung’s Android image processing library. Jai Vijayan, reporting for TechTarget, details how the tool enabled operators to covertly record conversations, track device locations, capture photos, collect contacts, and execute other surveillance operations on compromised devices. The team at Palo Alto Network’s Unit 42 initially discovered the spyware following public reports of exploits targeting iOS devices, revealing the tool’s core functionality – recording conversations, tracking device locations, capture photos, collect contacts, and call logs – and its ability to perform other surveillance operations on compromised devices.

The exploit chain closely mirrored attacks on iOS, suggesting a coordinated effort targeting multiple mobile platforms. Unit 42 identified six command and control (C2) servers utilized by the attackers, with overlaps observed with Stealth Falcon, a previously identified purveyor of targeted spyware campaigns. The UAE government was tentatively linked to the operation due to this infrastructure overlap, although definitive confirmation remains lacking. This activity aligns with a concerning pattern observed over recent years, where governments, intelligence agencies, and law enforcement utilize advanced, commercially available mobile spyware tools to monitor civil rights activists, political opponents, think tanks, and journalists of interest, with prominent examples including the NSO Group's Pegasus, Cytox/Intellexa’s Predator, and Gamma's FinSpy.

The discovery of Landfall highlights the continued risk posed by persistent vulnerabilities in widely-used software. The analyst’s investigation revealed that the spyware was modular in design, optimized for high-end Samsung Galaxy devices (S22, S23, and S24 series), and equipped with comprehensive data collection capabilities, including device fingerprinting, data exfiltration, and the ability to download additional payloads. Notably, the spyware incorporated multiple anti-analysis mechanisms to evade detection by security researchers – these included techniques to identify when it's being debugged, detect popular reverse-engineering frameworks, and grant itself elevated privileges.

The timeline of the attack—from July 2024 until April 2025—demonstrates the protracted danger posed by these vulnerabilities, even after initial disclosures. This incident underscored the fact that sophisticated exploits can remain in the public domain for extended periods before they are fully understood and mitigated. The path to Landfall's discovery began with Unit 42’s investigation of CVE-2025-43300, a zero-day bug affecting Apple iOS. Soon after Apple's disclosure, WhatsApp reported a zero-day bug (CVE-2025-55177) in a device synchronization feature, which the attackers then leveraged alongside CVE-2025-43300 to force compromised devices to process content from attacker-controlled URLs. This incident reinforces the ongoing need for vigilance and proactive security measures, particularly concerning zero-day vulnerabilities and the potential for coordinated exploitation across multiple platforms.