Source: Tero Vesalainen via Shutterstock
A likely private vendor of offensive security tools quietly exploited a zero-day vulnerability in Samsung’s Android image processing library to drop a commercial grade spyware tool on targeted Samsung Galaxy users in the Middle East.
The malicious activity went on from at least mid-2024 to April 2025, when Samsung fixed the vulnerability after a researcher privately informed the company about the issue. Researchers at Palo Alto Network’s Unit 42 team discovered t…
Source: Tero Vesalainen via Shutterstock
A likely private vendor of offensive security tools quietly exploited a zero-day vulnerability in Samsung’s Android image processing library to drop a commercial grade spyware tool on targeted Samsung Galaxy users in the Middle East.
The malicious activity went on from at least mid-2024 to April 2025, when Samsung fixed the vulnerability after a researcher privately informed the company about the issue. Researchers at Palo Alto Network’s Unit 42 team discovered the spyware tool when following up on public reports of exploits targeting iOS devices earlier this year.
The Landfall Threat
Researchers named the malware “Landfall” and described it in a report this week as a tool that lets its operators secretly record conversations, track device locations, capture photos, collect contacts and call logs, and perform other surveillance on compromised devices. The team observed attackers exploiting CVE-2025-21042, a critical flaw in Samsung’s image processing library, to deliver the spyware through specially crafted Digital Negative (DNG) image files. Unit 42’s analysis showed the attackers likely sent the weaponized image files via WhatsApp primarily to targets in Iraq, Iran, Turkey, and Morocco.
The exploit chain, according to Unit 42, closely resembled similar attacks discovered on iOS around the same time, suggesting a broader pattern of coordinated exploitation targeting image-processing vulnerabilities across multiple mobile platforms.
Related:SparkKitty Swipes Pics From iOS, Android Devices
“From the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain in public repositories for an extended period before being fully understood,” Unit 42 said in its report. “The analysis of the loader reveals evidence of commercial-grade activity. The Landfall spyware components suggest advanced capabilities for stealth, persistence and comprehensive data collection from modern Samsung devices.”
A Disconcerting Pattern
The activity that Unit 42 discovered matches similar campaigns in recent years where governments, intelligence agencies, and law enforcement have used sophisticated, commercially available mobile spyware tools to monitor civil rights activists, political opponents, think tanks, and journalists of interest. The more well-known purveyors of such tools include the NSO Group and its notorious Pegasus spyware, Cytox/Intellexa’s Predator spyware and its broader Nova suite of malicious tools, and Gamma’s FinFisher FinSpy tool. Last year, Google described such actors as accounting for nearly half of all zero-days in its products between 2014 and 2023. And just last month, a US federal court judge formally banned the NSO Group from reverse engineering WhatsApp for spyware delivery purposes.
Related:Digital Forensics Firm Cellebrite to Acquire Corellium
The path that led to Unit 42’s discovery of Landfall began with its investigation of malicious activity related to CVE-2025-43300, a zero-day bug that affected the DNG image parsing component in Apple iOS. Soon after Apple’s disclosure, WhatsApp reported a zero-day bug (CVE-2025-55177) in a device synchronization feature that attackers were chaining with CVE-2025-43300 to force compromised devices to process content from attacker-controlled URLs. In September, WhatsApp reported a similar vulnerability (CVE-2025-21043) to Samsung as well.
The Path to Discovery
Unit 42’s pursuit of the malicious iOS activity led to its discovery of malformed DNG files containing Landfall that had been uploaded to VirusTotal in 2024 and 2025. The security vendor’s analysis showed the spyware to be modular in design and optimized for monitoring high-end Samsung devices like Galaxy S22, S23, and S24 series, and stealing data from them.
Based on command strings and execution paths that the researchers identified, they found Landfall equipped to do extensive device fingerprinting, data exfiltration, and downloading additional payloads.
Related:‘Crocodilus’ Sharpens Its Teeth on Android Users
Most troubling was Landfall’s detection evasion mechanisms. Unit 42 found the spyware to include multiple anti-analysis mechanisms to detect when it’s being examined by security researchers, identify when it is being debugged, detect popular reverse-engineering frameworks, and grant itself elevated privileges.
Unit 42 researchers identified at least six command and control (C2) servers that that attackers used to communicate with the malware. Landfall’s C2 infrastructure had multiple overlaps with infrastructure associated with Stealth Falcon, another purveyor of targeted spyware campaign. “Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed,” Unit 42 said. However, it added, besides the infrastructure overlap, no other telemetry is so far available to suggest a direct link between Stealth Falcon and Landfall.
About the Author
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.