Landfall Spyware: Zero-Click Image Exploit Spied on Samsung Phones for a Year
A next-generation spyware operated undetected for nearly a year, hiding deep within Samsung Galaxy smartphones and exploiting a vulnerability unknown to the manufacturer. Researchers from Palo Alto Networks Unit 42 revealed that the malware, named Landfall, leveraged a critical flaw in Samsung’s image-processing library to install a comprehensive surveillance system. The implant intercepted calls, tracked movements, copied photos and system logs — all without leaving visible traces on the device. The issue was only resolved in April 2025, when Samsung released a security update patching the vulnerability CVE-2025-21042.
According to analysts, infections began in July 2024, affecting models running Android 13 through 16. The flaw allowed attackers to send specially crafted images that could trigger infection without user interaction — a so-called “zero-click” exploit. It was enough for the image to reach the device via a messaging app or email client; the compromise occurred automatically thereafter. Analysts believe the campaign specifically targeted smartphones in the Middle East, including Iraq, Iran, Turkey, and Morocco, indicating a highly targeted and sophisticated operation.
Landfall belongs to the class of commercial-grade spyware, comparable in capability to Pegasus or Predator. Once installed, it embedded itself deeply into the system, collecting device identifiers, contacts, messages, and multimedia files. It could also record calls and transmit stolen data to remote servers. Its modular architecture allowed each component to perform distinct roles — from injection to data exfiltration — simplifying both updates and adaptation across different Android versions.
Researchers discovered Landfall while investigating a chain of other image-processing vulnerabilities in mobile operating systems. In August 2025, Apple patched a similar flaw in its ImageIO framework that allowed arbitrary code execution on iPhones and iPads. Around the same time, Meta warned of sophisticated WhatsApp-based attacks exploiting that bug in conjunction with another messaging vulnerability. During this period, the WhatsApp team also notified Samsung of a separate flaw tied to the DNG format, which the company later fixed in September 2025 under CVE-2025-21043.
Despite the overlapping exploitation mechanisms, Unit 42 found no conclusive evidence that Landfall was used in combination with these other vulnerabilities.
It is suspected, however, that these incidents were part of a broader campaign leveraging DNG image parsing flaws to implant mobile spyware across multiple platforms. Since the most recent exploit chains were detected in August and September, researchers believe this wave of attacks likely persisted through late 2025. There is currently no indication that CVE-2025-21042 remains under active exploitation, though experts warn that future variants may employ similar methods.
The Landfall infrastructure appeared closely aligned with networks previously attributed to the Stealth Falcon group — an entity active since 2012, known for targeting journalists, activists, and dissidents across the Persian Gulf region. While researchers caution that domain naming patterns and registration methods alone are insufficient for definitive attribution, the sophistication and resources behind the operation strongly suggest state-level sponsorship rather than ordinary cybercriminal activity.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
