A likely private vendor of offensive security tools quietly exploited a zero-day vulnerability in Samsung's Android image processing library to drop a commercial grade spyware tool on targeted Samsung Galaxy users in the Middle East.
The malicious activity went on from at least mid-2024 to April 2025, when Samsung fixed the vulnerability after a researcher privately informed the company about the issue. Researchers at Palo Alto Network's Unit 42 team discovered the spyware tool when following up on public reports of exploits targeting iOS devices earlier this year.
The Landfall Threat
Researchers named the malware "Landfall" and described it in a report this week as a tool that lets its operators secretly record conversations, track device locations, capture photos, collect contacts and call logs, and perform other surveillance on compromised devices. The team observed attackers exploiting CVE-2025-21042, a critical flaw in Samsung's image processing library, to deliver the spyware through specially crafted Digital Negative (DNG) image files. Unit 42's analysis showed the attackers likely sent the weaponized image files via WhatsApp primarily to targets in Iraq, Iran, Turkey, and Morocco.
The exploit chain, according to Unit 42, closely resembled similar attacks discovered on iOS around the same time, suggesting a broader pattern of coordinated exploitation targeting image-processing vulnerabilities across multiple mobile platforms.
Related:SparkKitty Swipes Pics From iOS, Android Devices
"From the initial appearance of samples in July 2024, this activity highlights how sophisticated exploits can remain in public repositories for an extended period before being fully understood," Unit 42 said in its report. "The analysis of the loader reveals evidence of commercial-grade activity. The Landfall spyware components suggest advanced capabilities for stealth, persistence and comprehensive data collection from modern Samsung devices."
A Disconcerting Pattern
The activity that Unit 42 discovered matches similar campaigns in recent years where governments, intelligence agencies, and law enforcement have used sophisticated, commercially available mobile spyware tools to monitor civil rights activists, political opponents, think tanks, and journalists of interest. The more well-known purveyors of such tools include the NSO Group and its notorious Pegasus spyware, Cytox/Intellexa's Predator spyware and its broader Nova suite of malicious tools, and Gamma's FinFisher FinSpy tool. Last year, Google described such actors as accounting for nearly half of all zero-days in its products between 2014 and 2023. And just last month, a US federal court judge formally banned the NSO Group from reverse engineering WhatsApp for spyware delivery purposes.
Related:Digital Forensics Firm Cellebrite to Acquire Corellium
... continue reading