The LANDFALL spyware campaign was actively exploited in certain smartphones last year, but has since been patched by Samsung.
Researchers at Palo Alto Networks’ Unit 42 have discovered a new spyware campaign targeting Samsung users in the Middle East. Smartphones were infected via images sent via WhatsApp. The attack exploited a zero-day vulnerability in Samsung’s image processing library and was abused months before Samsung patched the issue in April 2025.
Vulnerability in Image Codec
The vulnerability (CVE-2025-21042) allows attackers to remotely execute arbitrary code, giving them full access to smartphones. The leak was exploited by an unknown spyware variant called LANDFALL, which has been active since July 2024 and has targeted Samsung smartphones such as Galaxy S22, S23, S24, Z Fold 4 and Z Flip 4 models in the Middle East. The vulnerability has not been exploited in Europe.
The attack started with an edited .DNG file containing a ZIP archive. After opening, a script was executed that downloaded additional components, including an SELinux manipulator (l.so) that adjusted security settings to maintain access.
Advanced Espionage Functions
LandFall collects detailed device data and can record conversations and microphone audio, track locations, and even access photos, text messages, contacts, and browsing history. The spyware also has features to evade detection and permanently embed itself in the system.
LandFall’s infrastructure is similar to that of other Stealth Falcon operations from the United Arab Emirates, according to BleepingComputer. However, researchers could not establish a direct link with known spyware companies such as NSO Group or Cytrox.