A new investigation by Palo Alto Networks’ Unit 42 has uncovered a stealthy commercial-grade spyware operation—codenamed Landfall—that weaponized zero-day flaws in Samsung phones to secretly monitor targets in Iraq, Iran, Turkey, and Morocco. The findings expose yet another chapter in the global trade of state-linked surveillance tools.
A Quiet Breach in the Android Heartland
For nearly a year, a private vendor of offensive cyber tools quietly exploited a zero-day vulnerability in Samsung’s image-processing library to infiltrate flagship Galaxy devices across the Middle East. The campaign, active from mid-2024 until Samsung patched the flaw in April 2025, used weaponized Digital Negative (DNG) image files to deliver a sophisticated spyware implant.
The spyware, christened “Landfall” by Unit 42, allowed its operators to record conversations, harvest photos and contact lists, track geolocation, and monitor call logs—all without the user’s knowledge. Attackers delivered these DNG files through WhatsApp, targeting high-end models such as the Galaxy S22, S23, and S24 series.
Unit 42’s researchers say the malicious code was “commercial-grade,” the kind typically developed by private surveillance vendors for government clients. The infection chain exploited CVE-2025-21042, a critical flaw in Samsung’s image library, to gain system-level privileges on the device.
Following the Trail: From iOS to Android
The discovery of Landfall was almost accidental. Unit 42’s researchers were originally investigating malicious iOS activity linked to CVE-2025-43300, a zero-day vulnerability in Apple’s DNG parser. Around the same time, WhatsApp disclosed its own zero-day issue (CVE-2025-55177) in a synchronization feature that could be chained with Apple’s bug.
When Unit 42 followed the trail, they unearthed malformed DNG samples uploaded to VirusTotal—files that contained traces of the Landfall payload. The exploit chain, they noted, mirrored techniques seen in recent iOS attacks, suggesting a coordinated effort targeting image-processing vulnerabilities across multiple mobile platforms.
From these samples, the analysts pieced together a cross-platform campaign capable of bypassing security mechanisms on both Android and iOS ecosystems. Samsung’s fix came only after a private researcher discreetly disclosed the vulnerability, ending months of silent exploitation.
Infrastructure Overlaps and Shadowy Links
In dissecting Landfall’s command-and-control (C2) network, Unit 42 identified at least six servers used by attackers to communicate with infected devices. These C2 servers shared key overlaps with infrastructure previously associated with Stealth Falcon, a threat group tied to targeted espionage in the Middle East.
Investigators stopped short of confirming attribution but cited “circumstantial evidence” suggesting a potential link between Landfall’s operators and entities aligned with the United Arab Emirates (UAE). “Besides the infrastructure overlap, no other telemetry is so far available to suggest a direct link,” the researchers cautioned.
The malware itself was modular, with features for device fingerprinting, data exfiltration, and secondary payload delivery. Its anti-analysis design enabled it to detect debugging, identify reverse-engineering frameworks, and escalate privileges—hallmarks of an advanced commercial surveillance toolkit.
A Broader Pattern of State-Sponsored Surveillance
The Landfall campaign bears the fingerprints of a widening global market for digital espionage. Unit 42’s report situates it alongside tools like NSO Group’s Pegasus, Intellexa’s Predator, and Gamma’s FinFisher FinSpy—platforms that have been used by governments and intelligence agencies to monitor journalists, activists, and political opponents.
Google’s own research last year found that such commercial vendors were responsible for nearly half of all zero-day exploits across its products between 2014 and 2023. In 2025, a U.S. federal court even barred the NSO Group from reverse-engineering WhatsApp, underscoring growing judicial scrutiny of this shadow industry.
Landfall demonstrates, even the most secure consumer devices can become conduits for geopolitical espionage—until someone happens to stumble upon the code.
