editorially independent. We may make money when you click on links
to our partners.
Learn More
Researchers from Palo Alto Networks’ Unit 42 unveiled a previously unknown strain of commercial-grade Android spyware named LANDFALL.
This spyware was deployed through a sophisticated exploit chain that targeted Samsung Galaxy devices by abusing a zero-day vulnerability in Samsung’s image-processing library.
The discovery highlights both the persistence of advanced mobile surveillance campaigns and the growing threat posed by private-sector offensive actors (PSOAs) leveraging zero-day vulnerabilities for espionage purposes.
How LANDFALL Gained Entry
The LANDFALL spyware campaign exploited CVE-2025-21042, a zero-day vulnerability in Samsung’s image-processing component, libimagecodec.quram.so.
Attackers embedded the spyware in malformed Digital Negative (DNG) image files, which were distributed through popular messaging platforms such as WhatsApp.
These files mimicked legitimate photos, exploiting a zero-click vulnerability that allowed devices to be compromised without user interaction.
Unit 42’s analysis revealed that this exploit chain was active as early as mid-2024. The vulnerability allowed attackers to gain remote code execution privileges, install spyware, and silently exfiltrate sensitive data from compromised devices.
Inside the LANDFALL Spyware Framework
LANDFALL is a modular spyware framework specifically tailored for Samsung Galaxy smartphones, including models such as the Galaxy S22, S23, and S24 series, as well as the Z Fold4 and Z Flip4.
The infection chain begins with a malformed DNG image containing an embedded ZIP archive. Once executed, the archive deploys two primary components:
- Loader (b.so): A 64-bit shared object file serving as the main backdoor.
- SELinux Policy Manipulator (l.so): A component designed to modify Android’s SELinux security policies, enabling persistence and privilege escalation.
Once deployed, LANDFALL can perform comprehensive surveillance functions.
These include recording audio, tracking GPS locations, collecting photos and call logs, and exfiltrating SMS and contact data.
It also employs evasion mechanisms to detect debugging tools, security frameworks like Frida and Xposed, and dynamically manipulate Android namespaces to conceal its operations.
LANDFALL’s command-and-control (C2) communications occur over HTTPS through non-standard TCP ports.
It initiates contact with the C2 server using POST requests that transmit device identifiers, agent IDs, and configuration data.
Analysis of six known C2 domains revealed infrastructure patterns overlapping with previously documented PSOA-linked operations in the Middle East.
A Broader Pattern of Exploitation
The discovery of LANDFALL fits into a larger pattern of exploitation involving DNG image-processing vulnerabilities across multiple mobile ecosystems.
Around the same time as CVE-2025-21042 was uncovered, Samsung addressed another flaw in the same library — CVE-2025-21043 — in September 2025.
Around the same time, Apple patched CVE-2025-43300, a zero-day affecting DNG parsing on iOS, and WhatsApp disclosed CVE-2025-55177, a vulnerability that enabled malicious image delivery through the messaging app.
The timing and similarity of these exploit chains suggest coordinated exploitation efforts by sophisticated threat actors targeting both Android and iOS platforms.
Researchers suggest that the overlap in tradecraft implies that LANDFALL may have shared developers, techniques, or objectives with other mobile surveillance tools operating in the region.
Potential Links to Spyware Vendors
While definitive attribution remains uncertain, Unit 42’s analysis found structural and operational similarities between LANDFALL’s infrastructure and that used by Stealth Falcon, a group previously associated with cyberespionage campaigns in the Middle East.
Additionally, internal debug strings within LANDFALL’s loader component refer to it as “Bridge Head,” a name commonly used by several commercial spyware frameworks — including those produced by Variston, Cytrox, and NSO Group — for their initial loader modules.
This connection raises the possibility that LANDFALL originated from a PSOA operating within or alongside Middle Eastern surveillance networks.
Such organizations often sell or license offensive cyber capabilities to government clients, blurring the line between state-sponsored and commercially motivated espionage.
Building Mobile Cyber Resilience
The LANDFALL campaign demonstrates the ongoing risk of zero-click exploits in modern mobile ecosystems.
To defend against advanced spyware threats like LANDFALL, organizations must adopt a proactive and layered security strategy.
- Keep devices hardened: Regularly update firmware and operating systems to patch vulnerabilities, and use mobile device management (MDM) to enforce encryption, authentication, and remote wipe policies.
- Deploy advanced threat detection and network monitoring: Use advanced mobile threat protection tools to block malware, and monitor for indicators of compromise (IOCs) or command-and-control (C2) activity.
- Reduce exposure to unverified content and applications: Avoid opening unverified files or links, disable automatic media downloads in messaging apps, and restrict the installation of non-approved applications.
- Strengthen security awareness and collaboration: Train users on mobile security best practices, promote secure communication tools, and collaborate with vendors and researchers to stay ahead of emerging threats.
Implementing these measures helps build overall cyber resilience.
The discovery of LANDFALL highlights the growing sophistication and commercialization of mobile spyware operations.
By exploiting image-processing vulnerabilities, attackers were able to deliver advanced espionage tools with stealth and scale, targeting high-value individuals and organizations across the Middle East.
Collaboration across organizations is essential to counter future spyware campaigns and reinforce global cybersecurity defenses.
Building on these lessons, adopting zero-trust principles offers a proactive framework to further protect against evolving threats.
