Previously unknown Landfall spyware used in 0-day attacks on Samsung phones
Summary
Unit 42 researchers have uncovered a previously unknown Android spyware family called LANDFALL that exploited a critical Samsung image-processing zero-day (CVE-2025-21042). The campaign likely began in July 2024 and ran until Samsung patched the flaw in April 2025. Landfall was delivered in a zero-click manner—probably via a maliciously crafted image sent over messaging apps—and installed a commercial-grade surveillance payload able to record calls, harvest photos, collect messages and contacts, fingerprint devices and exfiltrate data. Targets were highly specific and focused in the Middle East (Iraq, Iran, Turkey and Morocco). While technical overlaps link the infrastructure to known state-tied tooling such as Stealth Falcon, Unit 42 stops short of definitive attribution.
Key Points
- LANDFALL is a new Android spyware family discovered by Palo Alto Networks Unit 42.
- It exploited CVE-2025-21042, a critical DNG/image-processing bug affecting Samsung Galaxy devices on Android 13–16.
- Infections were likely zero-click: a crafted image could trigger the exploit without user interaction.
- The campaign appears highly targeted — victims in the Middle East (Iraq, Iran, Turkey, Morocco) — and low-volume.
- Landfall provides full surveillance capabilities: call recording, location tracking, photo/file access, message/contact capture and device fingerprinting.
- Researchers observed reuse of tradecraft and infrastructure similar to Stealth Falcon, but attribution is not confirmed.
- Related DNG/image-parsing exploit activity affected iOS and WhatsApp around the same timeframe; Samsung patched related issues in September.
- Unit 42 believes the original CVE-2025-21042 attack chain is no longer active, but similar chains persisted into August/September 2025.
Context and relevance
This discovery sits inside a broader wave of image-parsing zero-day exploitation that hit both Android and iOS in 2024–25. The finding matters because it shows sophisticated actors can weaponise widely used image-processing libraries for zero-click surveillance across multiple mobile platforms. For organisations and security teams, the case emphasises the continuing need for timely patch management, threat-hunting focused on bespoke mobile spyware behaviours, and protection for high-risk users such as journalists, activists and diplomats in sensitive regions.
Author style
Punchy: This isn’t run-of-the-mill malware — LANDFALL is polished, modular and purpose-built for espionage. If you look after mobile security, privacy, or high-risk users, read the full technical report: the details matter for detection and mitigation.
Why should I read this?
Short version: if you or anyone you protect uses Samsung Galaxy phones, especially in or connected to the Middle East, this is worrying. The attackers used a stealthy zero-click image exploit to plant a spyware suite that could quietly steal calls, photos and messages. Updating devices and checking for indicators of compromise are sensible steps — so skim the details and act fast.