Saturday, November 8, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Previously unknown Landfall spyware used in 0-day attacks on Samsung phones

TH Author

A previously unknown Android spyware family called LANDFALL exploited a zero-day in Samsung Galaxy devices for nearly a year, installing surveillance code capable of recording calls, tracking locations, and harvesting photos and logs before Samsung finally patched it in April.

The surveillance campaign likely began in July 2024 and abused CVE-2025-21042, a critical bug in Samsung’s image-processing library that affects Galaxy devices running Android versions 13, 14, 15, and 16, according to Palo Alto Networks Unit 42 researchers who discovered the commercial-grade spyware and revealed details of the espionage attacks in a Friday report.

“This was a precision espionage campaign, targeting specific Samsung Galaxy devices in the Middle East, with likely victims in Iraq, Iran, Turkey, and Morocco,” Itay Cohen, a senior principal researcher at Unit 42, told The Register. “The use of zero-day exploits, custom infrastructure, and modular payload design all indicate an espionage-motivated operation.”

According to the cyber sleuths, exploiting CVE-2025-21042 likely involved sending a maliciously crafted image to the victim’s device via a messaging application in a “zero-click” attack, meaning that infecting targeted phones didn’t require any user interaction.

“It’s not clear exactly how many people were targeted or exploited, but in a recent, related campaign, involving iOS and WhatsApp, WhatsApp shared that less than 200 were targeted in that campaign, so we can reasonably expect this could be a similar very targeted volume,” Cohen said.

The use of zero-day exploits, custom infrastructure, and modular payload design all indicate an espionage-motivated operation

Unit 42’s cyber sleuths originally uncovered Landfall while investigating these other two similar zero-days. In August, Apple patched a critical out-of-bounds write issue (CVE-2025-43300) in the ImageIO framework used in iPhones and iPads that had already been exploited in “extremely sophisticated” attacks. 

That same month, Meta issued its own security advisory warning that attackers may have chained a WhatsApp bug (CVE-2025-55177) with this Apple OS-level flaw “in a sophisticated attack against specific targeted users.”

The Meta and WhatsApp security teams also found and disclosed to Samsung another DNG-related zero-day in Galaxy devices in August, and in September, Samsung patched CVE-2025-21043.

Despite the similarities between all of these attack chains, Unit 42 says it can’t definitively connect Landfall to the three other zero-days.

“We don’t have evidence to confirm that Landfall itself was used with CVE-2025-21043, nor whether CVE-2025-43300 was used to deliver an equivalent of Landfall to iOS, nor can we say the same actor was responsible,” Cohen told us. “That said, the close timing, delivery method, and clear technical parallels point to a broader wave of DNG image-parsing exploitation being used in advanced mobile spyware operations.”

While the researchers don’t believe CVE-2025-21042 is still being abused, “related exploit chains impacting Samsung and iOS devices were observed as recently as August and September, indicating that similar campaigns remained active until very recently,” Cohen added.

Once deployed on a victim’s device, Landfall is designed with the usual advanced spyware capabilities to remain hidden while performing device fingerprinting and data exfiltration, including the ability to record calls, collect contacts and messages, and access photos and other files.

While Unit 42 doesn’t have enough evidence to say definitively who did the spying or developed the spyware, the researchers do note that Landfall’s command-and-control infrastructure and domain registration patterns share similarities with Stealth Falcon. This group may have ties to the UAE government, and has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. 

“The technical overlaps are intriguing but not strong enough for responsible attribution,” Cohen said. “What’s clear is that the tradecraft, tooling quality, and target-specific tailoring point to a highly resourced operator, not a criminal group.” ®

READ MORE HERE