Landfall - A New Commercial Grade Spyware
In November 2025, researchers publicly disclosed a previously unknown Android spyware family, now called Landfall. The security team at Unit 42 (part of Palo Alto Networks) described it in a blog post as "new commercial-grade Android spyware in an exploit chain targeting Samsung devices."
The campaign appears to have run from mid-2024 until around April 2025, when the vulnerability it exploited was patched. The discovery began when Unit 42 investigated a parallel chain of exploits affecting iOS devices, which led them to uncover Android samples of suspicious image files.
What makes Landfall noteworthy is the delivery method: malware embedded inside specially crafted image files, specifically using the DNG (Digital Negative) image format, a raw format commonly used by cameras. By examining malicious DNG files submitted to public repositories (e.g., VirusTotal) dating back to July 2024, researchers mapped the timeline of the campaign.
Landfall was effectively hidden inside a seemingly innocent image file sent to target Samsung Galaxy phones. It exploited a zero-day vulnerability to gain control and install spyware, remaining undetected for many months.
Attribution in cyber espionage is difficult, but available evidence offers clues. Unit 42 notes Landfall is "commercial-grade" spyware, exhibiting sophistication typical of tools from private firms serving governments. Such firms—known as Private-Sector Offensive Actors (PSOAs)—develop and sell offensive cyber tools, often to authoritarian regimes.
Unit 42 observed that Landfall's infrastructure overlaps with that of Stealth Falcon, a known spyware operator in the Middle East, particularly in terms of domain registration patterns and server infrastructure. However, no definitive public link has been confirmed between Landfall and Stealth Falcon or any other named actor. At the time of writing, Unit 42 was unable to attribute Landfall to a specific vendor or state actor.
The targeted geography raises further clues: the malicious image-file submissions traced to devices in Iraq, Iran, Turkey, and Morocco. This suggests the campaign was not a broad "spray and pray" malware, but rather a precision tool aimed at high-value targets. One of the blog posts described the campaign as "precision attacks" rather than mass distribution.
Zero-Day Vulnerabilities in Samsung and Apple as Initial Access Vectors
For the Android side of the equation, Landfall exploited a Samsung zero-day tracked as CVE‑2025‑21042, located in Samsung's image-processing library (libimagecodec.quram.so). The vulnerability allowed an attacker to feed a malformed DNG image file to a Samsung Galaxy device, thereby triggering remote code execution.
This flaw was patched by Samsung in April 2025; however, the campaign had been active for many months prior to that. The exploit chain appears to work without user interaction; that is, the victim did not necessarily need to click or open anything, making it a zero-click or near-zero-click attack.
The delivery vector likely involved messaging apps, such as WhatsApp, suggested by the image files analyzed, which had filenames suggestive of WhatsApp downloads — for instance, "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg".
While Landfall's publicized campaign so far appears focused on Samsung Android devices, the researchers point out a parallel vulnerability chain on Apple devices. For example, they mention CVE-2025-43300, a zero-day vulnerability in the DNG image parsing component of iOS, and CVE-2025-55177, a zero-day vulnerability in WhatsApp's device sync feature.
Although those Apple-side vulnerabilities are not necessarily direct evidence that Landfall has been used on iOS, the timing and attack vector similarity suggest a broader trend: malformed DNG image files sent via messaging apps are being used to deliver powerful spyware on mobile platforms.
Key points of note on the vulnerabilities:
- These zero-day flaws allow attackers to breach devices without a known vulnerability being publicly disclosed or patched.
- The use of DNG image files is clever: images are commonly exchanged, trusted or overlooked, and thus make an ideal delivery method for hidden payloads.
- The fact that the exploit chain is near-zero-click (i.e., requiring little to no user interaction) amplifies the danger, as the victim may be unaware that anything malicious has occurred.
- Once inside, the spyware gains deep access, tracking location, listening to the microphone, watching through the camera, and monitoring call logs, contacts, and apps. The device essentially becomes a surveillance tool.
Landfall operates within a much larger landscape of sophisticated mobile spyware tools, often developed by private companies for use by governments, intelligence agencies, or other state-linked actors. Some previously known names: Pegasus (by NSO Group), FinFisher (by Gamma), and Predator (by Cytrox).
What sets modern tools like Landfall apart:
- The use of zero-day vulnerabilities, often chained, to fully compromise devices without interaction.
- Modular architecture: Once the base infection is successful, additional modules can be deployed to extend capabilities (for example, microphone recording, camera snapshots, file exfiltration).
- Focus on mobile devices: Desktop and laptop spyware have been around for years. Now, the shift toward phones is deliberate. Phones are seen as more private, more personal, and hold more sensitive data than typical computers.
- Targeted, rather than mass: Tools such as Landfall are not aimed at mass consumer infections; they are precision tools designed to target high-value targets — activists, journalists, government officials, and dissidents. The targeting of Middle-East individuals in Landfall's case is strong evidence.
In this light, Landfall serves as a reminder that mobile security matters not just for consumers, but also for enterprises and high-profile users. It also underscores the evolving arms race between spyware vendors, device manufacturers, and security researchers. Device makers like Samsung and Apple must constantly patch zero-day vulnerabilities, and arguably now must do so faster than ever.
For most users, the risk remains low, but the consequences of a compromise are extremely high: your phone is your personal data center, your communications hub, and your location tracker. Recognizing mobile devices as part of your threat landscape is no longer optional.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion