Newly identified Android spyware appears to be from a commercial vendor

Steven

Newly identified Android spyware appears to be from a commercial vendor

Summary

Researchers at Palo Alto Networks’ Unit 42 uncovered LANDFALL, a “commercial grade” Android spyware campaign that ran for about nine months and appears focused on Samsung Galaxy devices in the Middle East.

The spyware exploited a zero-day in Galaxy image processing (CVE-2025-21042) by delivering malformed DNG (TIFF) images with an appended ZIP archive, likely via WhatsApp. The flaw was patched in April 2025.

LANDFALL may have operated as zero-click malware and could record microphones, track location, capture calls, photos, texts, contacts and call history, then exfiltrate that data to command-and-control servers.

Key Points

  • LANDFALL exploited a zero-day in Samsung’s image handling (CVE-2025-21042) using malformed DNG files.
  • The campaign likely used WhatsApp to deliver the malicious images and may have been zero-click.
  • Capabilities included microphone recording, location and call logging, photos/text exfiltration and contact harvesting.
  • Unit 42 links the campaign’s tradecraft and infrastructure to commercial spyware operations in the Middle East, suggesting a private-sector vendor origin.
  • There are infrastructure similarities with Stealth Falcon activity, but no direct overlap; victims were likely in Iraq, Iran, Turkey and Morocco.
  • Vulnerability was privately reported to Samsung in Sept 2024 but only patched in April 2025; targeted models include Galaxy Z Fold4, Z Flip4 and S22/S23/S24 series.

Why should I read this?

Short version: if you manage mobile security or use Galaxy phones in sensitive roles, this matters. LANDFALL is stealthy, powerful and likely sold or run by a commercial vendor — so it’s not random malware. The patch exists now, but the attack window was long and the spying was targeted. Worth a quick check of patch status on any affected devices.

Author note

Punchy takeaway: this isn’t script-kiddie rubbish — it’s precision espionage-grade tooling. Read the details if you care about device hygiene, regional threat actors or the risks of zero-click mobile exploits. We’ve done the legwork so you can act quickly.

Context and Relevance

LANDFALL illustrates a continuing trend: sophisticated, commercially supplied spyware being used for targeted surveillance in geopolitically sensitive regions. The use of a zero-day in ubiquitous phone libraries and potential WhatsApp delivery show how easily high-value targets can be compromised without user interaction.

For security teams, the incident underlines the need for rapid patch management, threat-hunting for signs of compromise (unusual C2 connections, unexpected audio or file exfiltration), and scrutiny of commercial spyware vendors and their infrastructure links to regional actors.

Source

Source: https://therecord.media/landfall-spyware-middle-east-appears-commercial-grade