Security researchers at Palo Alto Networks, Unit 42 have uncovered a sophisticated spyware campaign dubbed “LANDFALL” that exploited a previously unknown zero-day vulnerability (CVE-2025-21042) in select Samsung Galaxy Android devices to conduct targeted surveillance over an extended period. The attack chain reportedly began in July 2024 and leveraged a maliciously crafted image—potentially delivered via messaging apps—to silently install spyware capable of exfiltrating call logs, messages and location data, and even activating the microphone. The flaw was privately reported to Samsung in September 2024 and patched in April 2025, but not before the campaign had achieved penetration in regions including the Middle East and North Africa. Investigators found the spyware’s infrastructure bore strong resemblance to that of known commercial surveillance providers, raising questions about private-sector offensive cyber tools and their use in state-aligned espionage.
Sources: Palo Alto Networks, ARS Technica
Key Takeaways
– The LANDFALL campaign employed a zero-click delivery via malformed DNG image files, enabling infection without user interaction.
– Samsung Galaxy models including the S22, S23, S24 series and Z-series devices (Android 13 – 15) were targeted, and the vulnerability was patched only in April 2025.
– Findings point to a commercial-grade spyware tool used in precise espionage activities rather than mass-market malware, highlighting the intersection of private-sector offensive cyber tools and state surveillance.
In-Depth
The revelation of the LANDFALL spyware campaign raises sharp alarms about the integrity of mobile devices, the role of private surveillance firms and the lingering risk posed by delayed patches in the Android ecosystem. According to Unit 42, the exploit exploited a vulnerability in Samsung’s image-processing library (CVE-2025-21042) in which a malicious DNG image file embedded a ZIP payload that loaded native modules on the device.
This kind of delivery chain—sending an image file via a messaging app that automatically triggers code execution—is one of the most insidious forms of mobile attack since it requires minimal user involvement.
The campaign appears to have proceeded with surgically chosen targets rather than indiscriminately. The malware uploads found on VirusTotal were traced to devices in Iran, Iraq, Morocco and Turkey.
That kind of distribution suggests that the objective was espionage: capturing calls, microphone audio, location data, messaging, contacts and media stored on the phone. Module analysis in the technical bulletin confirms capability for deeper system penetration, including SELinux policy manipulation for persistence.
For end-users, the take-away is clear: even high-end smartphones are vulnerable to advanced surveillance tools, and staying up to date on patches matters. Samsung issued the applicable fix in April 2025, but the campaign had been active since mid-2024, leaving many users potentially exposed for months.
From a broader viewpoint, this effort underscores how commercial spyware firms—loosely regulated and often operating in the shadows—are becoming the middle-men for state-level surveillance, enabling targeted intrusion against selected individuals rather than broad criminal campaigns. The infrastructure observed overlaps with those used by the group known as Stealth Falcon, which has tie-ins to the Middle East, though attribution remains unconfirmed.
For mobile security professionals, the LANDFALL case is a forensic gold-mine: it provides a detailed blueprint of how a modern mobile exploit can chain image-format flaws, privilege escalation modules and command-and-control channels to surreptitiously convert a device into a spy hub. For policymakers, it represents a compelling argument for stricter oversight of surveillance-tool vendors and tighter supply-chain governance of mobile OS vendors and app platforms. For enterprises and individuals alike, the risk is not theoretical—it’s real and immediate. A targeted campaign with little fanfare, but enormous potential for data extraction and operational compromise, has already happened.
Given your digital content production, mobile usage and global collaboration, this may also have implications for your workflow: any device you use, especially in sensitive communications or media production contexts, must be treated as potentially compromised unless proven otherwise. Mobile threat hygiene is no longer optional.