What is ‘Landfall’ spyware, and how was it used to target Samsung Galaxy phones? | Technology News

Similar to the NSO Group’s Pegasus, Landfall is zero-click. This means that the spyware could be successfully delivered to target phones without requiring any action from the victims’ end. Simply sending a maliciously crafted image to a victim’s phone, likely delivered through a messaging app, could ensure that the device is infected by Landfall, as per the researchers.

The spyware’s source code pointed to five Galaxy models as targets, namely: the Samsung Galaxy S22, S23, S24, and some Z models as well. The researchers also found the security flaw in other Galaxy devices, and further said devices running Android versions 13 through 15 could be affected too.

Landfall was first detected in July 2024, and Samsung said that the security flaw used to deploy the spyware was patched in April 2025. However, this is the first time the security incident has been publicly reported. “The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms,” Unit 42 said in a blog post.

What is Landfall spyware? Who is behind it?

Similar to other commercial-grade spyware, Landfall is capable of carrying out comprehensive surveillance of its victims by vacuuming up on-device data such as photos, contacts, and call logs, as well as tapping the device’s microphone and tracking its precise location.

“The spyware is delivered through malformed DNG image files exploiting CVE-2025-21042—a critical zero-day vulnerability in Samsung’s image processing library, which was exploited in the wild,” the researchers said. Unit 42 said that its researchers scanned various spyware samples that had been uploaded to VirusTotal, a malware scanning service, by people located in Morocco, Iran, Iraq, and Turkey from 2024 to early 2025.

However, the spyware vendor that developed Landfall is not known. Details about how many people were targeted as part of the campaign are also unclear.

Who were the likely targets of Landfall spyware?

Unit 42 researchers said that Landfall had been used to carry out “targeted intrusion activities within the Middle East”. They also found evidence that suggested the spyware was not mass-distributed like malware. Instead, the attackers undertook a “precision attack” on specific individuals, indicating that it was likely an espionage campaign, Itay Cohen, a senior principal researcher at Unit 42, was quoted as saying by TechCrunch.

As for whether it was a government customer behind the hacking campaign, researchers said there was not enough evidence to give a clear attribution. But they found that the Landfall spyware was hosted on digital infrastructure similar to that of a well-known spyware vendor referred to as Stealth Falcon.

The Landfall hacking campaign also shared some similarities with previous spyware attacks against Emirati journalists, activists, and dissidents as far back as 2012, according to Unit 42.

Were iPhone users also targeted by Landfall?

Additionally, the researchers pointed out that Apple patched a similar zero-day vulnerability in August this year. “We cannot confirm whether this chain was used to deliver an equivalent of LANDFALL to iOS, or whether it is the same threat actor behind the two,” Unit 42 wrote.

“However, this parallel development in the iOS ecosystem, combined with the disclosure of the Samsung and Apple vulnerabilities just a few weeks apart, highlights a broader pattern of DNG image processing vulnerabilities being leveraged in sophisticated mobile spyware attacks,” it added.

In September this year, Apple announced that it had made a series of changes to its A19 and A19 Pro chips, operating system, and development tool in order to prevent the latest iPhone 17 lineup from being compromised in attacks by Pegasus-like spyware.

This spyware protection tool, known as Memory Integrity Enforcement (MIE), has been built to detect and patch security exploits in device memory, making it harder for threat actors to compromise iPhones using sophisticated spyware like Pegasus, according to Apple.