Close Menu

Landfall Malware Strikes Samsung Galaxy Users

Staff WriterBy No Comments5 Mins Read1 Views

Summary Points

  1. Zero-Day Exploit: A private vendor utilized a zero-day vulnerability in Samsung’s Android image processing library to deploy sophisticated spyware, “Landfall,” targeting Galaxy users in the Middle East from mid-2024 to April 2025.

  2. Spyware Capabilities: Landfall allows attackers to secretly record conversations, track locations, capture photos, and collect contacts from compromised devices, primarily delivered via weaponized DNG files sent through WhatsApp.

  3. Coordinated Exploitation: The exploit mirrors similar attacks on iOS devices, indicating a trend of coordinated exploitation targeting image-processing vulnerabilities across multiple platforms, often linked to governmental surveillance activities.

  4. Detection Evasion: Landfall features advanced detection evasion tactics, enabling it to avoid discovery by security researchers and maintain persistent control through command and control servers, potentially connected to the UAE government.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ”Landfall’ Malware Targeted Samsung Galaxy Users’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

A likely private vendor of offensive security tools quietly exploited a zero-day vulnerability in Samsung’s Android image processing library to drop a commercial grade spyware tool on targeted Samsung Galaxy users in the Middle East.

The malicious activity went on from at least mid-2024 to April 2025, when Samsung fixed the vulnerability after a researcher privately informed the company about the issue. Researchers at Palo Alto Network’s Unit 42 team discovered the spyware tool when following up on public reports of exploits targeting iOS devices earlier this year.

The Landfall Threat

Researchers named the malware “Landfall” and described it in a report this week as a tool that lets its operators secretly record conversations, track device locations, capture photos, collect contacts and call logs, and perform other surveillance on compromised devices. The team observed attackers exploiting CVE-2025-21042, a critical flaw in Samsung’s image processing library, to deliver the spyware through specially crafted Digital Negative (DNG) image files. Unit 42’s analysis showed the attackers likely sent the weaponized image files via WhatsApp primarily to targets in Iraq, Iran, Turkey, and Morocco.

The exploit chain, according to Unit 42, closely resembled similar attacks discovered on iOS around the same time, suggesting a broader pattern of coordinated exploitation targeting image-processing vulnerabilities across multiple mobile platforms.

Related:SparkKitty Swipes Pics From iOS, Android Devices

“From the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain in public repositories for an extended period before being fully understood,” Unit 42 said in its report. “The analysis of the loader reveals evidence of commercial-grade activity. The Landfall spyware components suggest advanced capabilities for stealth, persistence and comprehensive data collection from modern Samsung devices.”

A Disconcerting Pattern

The activity that Unit 42 discovered matches similar campaigns in recent years where governments, intelligence agencies, and law enforcement have used sophisticated, commercially available mobile spyware tools to monitor civil rights activists, political opponents, think tanks, and journalists of interest. The more well-known purveyors of such tools include the NSO Group and its notorious Pegasus spyware, Cytox/Intellexa’s Predator spyware and its broader Nova suite of malicious tools, and Gamma’s FinFisher FinSpy tool. Last year, Google described such actors as accounting for nearly half of all zero-days in its products between 2014 and 2023. And just last month, a US federal court judge formally banned the NSO Group from reverse engineering WhatsApp for spyware delivery purposes.

Related:Digital Forensics Firm Cellebrite to Acquire Corellium

The path that led to Unit 42’s discovery of Landfall began with its investigation of malicious activity related to CVE-2025-43300, a zero-day bug that affected the DNG image parsing component in Apple iOS. Soon after Apple’s disclosure, WhatsApp reported a zero-day bug (CVE-2025-55177) in a device synchronization feature that attackers were chaining with CVE-2025-43300 to force compromised devices to process content from attacker-controlled URLs. In September, WhatsApp reported a similar vulnerability (CVE-2025-21043) to Samsung as well.

The Path to Discovery

Unit 42’s pursuit of the malicious iOS activity led to its discovery of malformed DNG files containing Landfall that had been uploaded to VirusTotal in 2024 and 2025. The security vendor’s analysis showed the spyware to be modular in design and optimized for monitoring high-end Samsung devices like Galaxy S22, S23, and S24 series, and stealing data from them. 

Based on command strings and execution paths that the researchers identified, they found Landfall equipped to do extensive device fingerprinting, data exfiltration, and downloading additional payloads.

Related:‘Crocodilus’ Sharpens Its Teeth on Android Users

Most troubling was Landfall’s detection evasion mechanisms. Unit 42 found the spyware to include multiple anti-analysis mechanisms to detect when it’s being examined by security researchers, identify when it is being debugged, detect popular reverse-engineering frameworks, and grant itself elevated privileges.

Unit 42 researchers identified at least six command and control (C2) servers that that attackers used to communicate with the malware. Landfall’s C2 infrastructure had multiple overlaps with infrastructure associated with Stealth Falcon, another purveyor of targeted spyware campaign. “Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed,” Unit 42 said.  However, it added, besides the infrastructure overlap, no other telemetry is so far available to suggest a direct link between Stealth Falcon and Landfall.

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Discover More Technology Insights

Dive deeper into the world of Cryptocurrency and its impact on global finance.

Access comprehensive resources on technology by visiting Wikipedia.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Comments are closed.