Landfall Spyware Exploits Samsung Vulnerability, Evades Detection for Nearly a Year in Middle East Campaign
Commercial spyware known as Landfall exploited a zero-day vulnerability on Samsung Galaxy devices, enabling covert surveillance and data theft for nearly a year before a patch was released in April 2025[1][2][4][5]. This campaign, primarily targeting users in the Middle East, highlights the increasing threat posed by commercial-grade spyware and the urgent need for robust mobile security.
How Landfall Operated
Landfall is a sophisticated Android spyware family first uncovered by Palo Alto Networks’ Unit 42 researchers[1][2][3]. The attack chain began with exploitation of a security flaw catalogued as CVE-2025-21042, a critical vulnerability in Samsung’s image processing library affecting multiple Galaxy models running Android versions 13 through 15 (including S22, S23, S24, and Z foldables)[2][4][6][12].
The attack’s hallmark was its zero-click nature—victims did not need to interact with any malicious content. Instead, Landfall was delivered via specially crafted DNG image files sent through messaging apps such as WhatsApp[1][2][4][5][10]. Once the file reached the device, the embedded exploit chain allowed attackers to surreptitiously install the spyware without user awareness.
Capabilities and Impact
Landfall’s technical capabilities place it among the most dangerous commercial spyware tools to date. Once installed, the malware enabled attackers to:
- Record audio using the device’s microphone.
- Track the device’s location in real time.
- Exfiltrate photos, contacts, call logs, and text messages.
- Remotely activate the camera and record calls[4][5][6][9].
The spyware’s infrastructure and tactics bore similarities to other commercial spyware vendors, hinting at ties to private-sector offensive actors (PSOAs) and possibly black-market distribution[1][2][4]. According to multiple reports, the campaign was active from at least July 2024 until Samsung’s patch in April 2025, operating undetected for months[1][2][4][5].
Unit 42’s analysis found code references to targeted Galaxy models and observed samples uploaded from Morocco, Iran, Iraq, and Turkey, indicating that the campaign was regionally focused but technically capable of broader reach[2][4][5][6].
The Vulnerability: CVE-2025-21042
The exploited vulnerability allowed attackers to gain full read and write access to the device by leveraging a flaw in the image processing library. This permitted malware installation during startup through a custom skin flash, bypassing standard security controls[1][2][6]. The nature of the exploit meant that attackers could compromise devices without any user interaction—a significant escalation from earlier attack methods requiring clicks or downloads.
Samsung was unaware of the flaw until it was disclosed by researchers, who catalogued it as CVE-2025-21042 and informed Samsung, prompting a security patch in April 2025[1][2][4][5][6][12]. The delay between the initial exploitation and the release of a patch allowed the spyware to run rampant, potentially affecting thousands of devices.
Espionage and Commercial Spyware Trends
Industry experts consider Landfall a commercial-grade spyware—a tool with features and reliability comparable to infamous products such as NSO Group’s Pegasus[2][4][7]. Its modular design, advanced stealth capabilities, and infrastructure suggest use by mercenary surveillance vendors targeting high-value individuals, including journalists, activists, and executives[4][5][7].
Reports estimate the campaign may have compromised up to 100,000 victims in over 190 countries[6], though precise figures remain unclear. Notably, some infected devices reportedly displayed photos of Russian President Vladimir Putin, raising questions about the malware’s provenance and intent[6].
Defensive Measures and Industry Response
Following the discovery, Palo Alto Networks and other security vendors rapidly updated detection systems to identify and block Landfall-related exploits and domains[3][7][13]. Samsung’s April 2025 security update addressed CVE-2025-21042, but the incident underscores persistent challenges in defending mobile platforms against zero-day threats.
Security researchers urge users to:
- Update devices promptly to ensure the latest security patches are installed.
- Exercise caution with unsolicited messages and file attachments, even from known contacts.
- Use reputable security solutions capable of detecting advanced mobile malware[3][7].
Conclusion
The Landfall spyware campaign represents a troubling escalation in mobile espionage, combining zero-click exploits, targeted surveillance, and commercial-grade malware sophistication. Its prolonged undetected operation on Samsung devices is a stark reminder that even flagship phones are vulnerable to advanced threats, and that proactive defense—including timely updates and threat intelligence sharing—is essential for both users and the broader cybersecurity community[1][2][3][4][5][6][7][12][13].
Original source: Ars Technica – Commercial spyware “Landfall” ran rampant on Samsung phones for almost a year