Palo Alto Networks’ threat intelligence team, Unit 42, has uncovered a sophisticated spyware campaign that exploited a previously unknown zero-day vulnerability in Samsung Galaxy smartphones, allowing attackers to conduct full-scale surveillance on targeted users.
The spyware, dubbed LANDFALL, was discovered during an investigation into a series of covert attacks that began in mid-2024. The campaign exploited a vulnerability now identified as CVE-2025-21042, which resided in Samsung’s image processing library and remained unpatched until April 2025.
According to Palo Alto Networks, LANDFALL was delivered via a malicious DNG (raw image) file, likely sent through WhatsApp. The attack method—leveraging manipulated image files—represents a growing trend in mobile exploitation, following similar attack chains recently seen on Apple devices. The delivery mechanism suggests the attack may have been zero-click, requiring no user interaction to infect the device.
Once installed, the spyware granted attackers near-total control over infected devices. It could record audio, track location, and steal sensitive data including photos, call logs, and contact lists. The campaign appears to have focused on targets in Iraq, Iran, Turkey, and Morocco, with signs linking it to private-sector offensive actors (PSOAs)—commercial spyware groups that sell surveillance tools to governments and other clients.
Unit 42 researchers described LANDFALL as “commercial-grade spyware” engineered to evade detection while maintaining persistence on high-end Samsung models, including the S22, S23, S24, and Fold/Flip series. The campaign’s infrastructure and operational patterns closely resemble those of known PSOAs, which are often associated with state-linked espionage operations.
The discovery provides a rare retrospective view into a long-running, undetected spyware operation targeting consumer devices at scale. Researchers warn that the incident underscores both the evolving sophistication of mobile surveillance tools and the critical need for timely patching and mobile threat intelligence sharing.
Samsung patched the vulnerability earlier this year, but security experts stress that the case highlights persistent gaps in detecting and mitigating zero-day exploits in the mobile ecosystem.
