Security researchers at Palo Alto Networks’ Unit 42 division have documented a previously unknown Android commercial spyware that exploited a zero-day vulnerability in Samsung devices throughout 2024 and early 2025.
The LANDFALL malware used a critical flaw in Samsung’s image processing library to surveil targeted users in the Middle East, through malicious code hidden in Digital Negative (DNG) format files.
Unit 42 said the DNG image files appear to have been sent via WhatsApp between July 2024 and February 2025, judging by samples found in Google’s VirusTotal malware scanning site.
This suggests at least seven months of active exploitation before Samsung patched the vulnerability in April 2025, following disclosure to the company in September 2024, Unit 42 said.
LANDFALL exploited CVE-2025-21042, a zero-day flaw in Samsung’s libimagecodec.quram.so library that processes DNG raw image files.
It is possible that the LANDFALL campaign was a zero-click one, meaning victims may have been compromised simply by receiving the malicious image file without any interaction.
The company subsequently addressed a related flaw, CVE-2025-21043, in the same image processing library during its September 2025 update.
Unit 42’s analysis of the spyware’s loader component revealed extensive data collection capabilities built into LANDFALL, suggesting it could record audio from the device microphone and capture phone calls along with call history.
Furthermore, LANDFALL harvested the contacts databases on Galaxy phones, SMS messages, camera photos and arbitrary files from infected devices.
Location tracking enabled continuous monitoring of victim movements.
The spyware specifically targeted several Samsung Galaxy models including the S22, S23 and S24 series, as well as Z Fold4 and Z Flip4 devices.
LANDFALL’s modular architecture points to additional capabilities that were downloaded after initial infection, though researchers did not recover all components of the framework.
Analysis of VirusTotal submission data indicates potential victims in Iraq, Iran, Turkey and Morocco.
Turkey’s national computer emergency response team Ulusal Siber Olaylara Müdahale Merkezi identified LANDFALL command and control (C2) IP addresses as malicious and advanced persistent threat-related.
Researchers identified six command and control servers used in the campaign, with domains including brightvideodesigns.com, hotelsitereview.com and healthyeatingontherun.com.
Unit 42 described LANDFALL as commercial-grade spyware likely developed by private sector offensive actors who provide surveillance tools to government clients.
The spyware’s infrastructure and domain registration patterns share similarities with Stealth Falcon, a United Arab Emirates-linked threat group.
Notably, LANDFALL’s loader component refers to itself as “Bridge Head” in debug artifacts.
This naming convention is commonly used by commercial spyware vendors including NSO Group, Variston, Cytrox and Quadream for their first-stage loaders.
Google’s Threat Analysis Group (TAG) previously reported that Variston, a Barcelona-based commercial spyware vendor, used a framework called Heliconica that also contained “BridgeHead” references.
Variston reportedly supplied tooling to clients in the UAE through a reseller named Protect Electronic Systems before ceasing operations in early 2025 following public exposure.
Despite these similarities, Unit 42 could not definitively attribute LANDFALL to a known threat actor and is tracking the activity as CL-UNK-1054.
The LANDFALL campaign fits within a larger trend of DNG image processing vulnerabilities being exploited across mobile platforms.
In August 2025, Apple patched CVE-2025-43300, a zero-day vulnerability in iOS DNG image parsing that was actively exploited in the wild.
WhatsApp disclosed CVE-2025-55177 the same month, revealing it had been chained with Apple’s DNG vulnerability to enable zero-click remote code execution through malicious images.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added the Samsung flaw to its Known Exploited Vulnerabilities (KEV) catalogue.