A powerful new Android spyware family, dubbed Landfall, has emerged, exploiting several zero-day vulnerabilities to target Samsung Galaxy and likely other devices. The tool was likely used by government entities and other commercial surveillance buyers.
Palo Alto’s Unit 42 has unveiled a spyware campaign that targeted Samsung Android devices from mid-2024 through early 2025.
The spyware exploited a critical remote code execution vulnerability in Samsung’s Android image processing library, which Samsung patched in April 2025.
According to the National Vulnerability Database, which assigned this flaw (CVE-2025-21042) a severity score of 9.8 out of 10, the out-of-bounds write in libimagecodec.quram.so allowed remote attackers to execute arbitrary code.
However, Unit 42 researchers warn that this exploit was not an isolated case, “but rather part of a broader pattern of similar issues found on multiple mobile platforms.”
“Landfall was embedded in malicious image files (DNG file format) that appear to have been sent via WhatsApp. This method closely resembles an exploit chain involving Apple and WhatsApp that drew attention in August 2025,” the report about the new commercial-grade Android spyware reads.
The malformed DNG (Digital Negative) image files were possibly delivered via zero-click exploits on WhatsApp and other messaging applications. When triggered, they extracted an embedded .zip archive and ran the spyware.
What do we know about Landfall spyware?
Landfall is a type of Android spyware specifically designed to target Samsung Galaxy S22, S23 Series, S24 Series, Z Fold4, and Z Flip4 devices. It appears to be used against victims in Middle Eastern and North African countries, including Iraq, Iran, Turkey, and Morocco.
“The Landall spyware components suggest advanced capabilities for stealth, persistence, and comprehensive data collection from modern Samsung devices,” the report reads.
The malformed DNG files delivered two components: a loader, serving as the main backdoor, and the SELinux Policy Manipulator, designed to alter the device’s policies and grant the spyware elevated permissions, aiding persistence.
At least six image samples were discovered. The researchers did not directly analyze the next-stage components of the spyware.
Even without additional payloads, Landfall was capable of detailed device fingerprinting, obtaining the OS version, hardware and SIM IDs, user account, network configuration, location, and other device data.
The Cybernews community is talking about this. Be a part of the conversation.
Once installed, it can record microphone and calls, exfiltrate call history, contacts, SMS and messaging data, camera photos, files, browsing history, and other data. Landfall has sophisticated persistence mechanisms and is capable of loading and executing native modules, injecting processes, and forcing the system to load malicious libraries even before others.
To avoid detection, it checks for debuggers and common analysis frameworks, such as Frida and Xposed, dynamically loads libraries, and removes malicious image files it used to infect the devices.
The researchers identified six command and control servers used by the spyware.
“It is clear that the tool is commercial grade. It may have utilized several zero-day exploits in its infection chain,” the researchers said.
“Such tools are often developed and sold as commercial spyware and attributed to groups known as private sector offensive actors (PSOAs), who are often legitimate legal entities. Reportedly, these groups provide services to government entities.”
The report warns that malformed DNG files are becoming a recurring attack vector, and the exploit used by Landfall is just one of similar issues found on multiple platforms.
In August 2025, Apple addressed a zero-day vulnerability, CVE-2025-43300, which impacted DNG image parsing. It was widely exploited by threat actors to enable zero-click remote code execution. It’s unclear if it was used to deliver an equivalent spyware to iOS.
“This parallel development in the iOS ecosystem, combined with the disclosure of the Samsung and Apple vulnerabilities just a few weeks apart, highlights a broader pattern of DNG image processing vulnerabilities being leveraged in sophisticated mobile spyware attacks.”
Samsung device users should make sure they’ve applied all the latest software updates. The firm issued additional firmware updates in September.
Your email address will not be published. Required fields are markedmarked