What is ‘Landfall’ spyware, and how was it used to target Samsung Galaxy phones?

Similar to the NSO Group’s Pegasus, Landfall is zero-click. This means that the spyware could be successfully delivered to target phones without requiring any action from the victims’ end. Simply sending a maliciously crafted image to a victim’s phone, likely delivered through a messaging app, could ensure that the device is infected by Landfall, as per the researchers.

The spyware’s source code pointed to five Galaxy models as potential targets, namely: the Samsung Galaxy S22, S23, S24, and some Z models as well. The researchers also found the Android security flaw in other Galaxy devices, and said that devices running Android versions 13 through 15 could have been affected too.

In response, Samsung patched the security flaw exploited to deploy the spyware in April this year. However, Landfall was first detected in July last year and the campaign was operational since mid-2024.

“LANDFALL remained active and undetected for months,” Unit 42 said. “The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms,” it added.

What is Landfall spyware? Who is behind it?

Similar to other commercial-grade spyware, Landfall is capable of carrying out comprehensive surveillance of its victims by vacuuming up on-device data such as photos, contacts, and call logs, as well as tapping the device’s microphone and tracking its precise location.

“The spyware is delivered through malformed DNG image files exploiting CVE-2025-21042—a critical zero-day vulnerability in Samsung’s image processing library, which was exploited in the wild,” the researchers said. Unit 42 said its researchers analysed various spyware samples that had been uploaded to VirusTotal, a malware scanning service, by people located in Morocco, Iran, Iraq, and Turkey between 2024 to 2025.

While the spyware vendor that developed Landfall is not known for certain, the researchers found that Landfall was hosted on digital infrastructure similar to that of a well-known spyware vendor referred to as Stealth Falcon. Other details such as the exact number of individuals that were potentially targeted as part of the campaign are  unclear.

Who were the likely targets of Landfall spyware?

Unit 42 researchers said that Landfall had been used to carry out “targeted intrusion activities within the Middle East”.

They also found evidence that suggested the spyware was not mass-distributed like malware. Instead, the attackers undertook a “precision attack” on specific individuals, indicating that it was likely a government-backed espionage campaign, Itay Cohen, a senior principal researcher at Unit 42, was quoted as saying by TechCrunch.

Researchers said that there was not enough evidence to clearly state that a government customer of Landfall was behind the hacking campaign. But they found that the Landfall hacking campaign shared a few similarities with previous spyware attacks against journalists, activists, and dissidents in the UAE going back to 2012.

Were iPhone users also targeted by Landfall?

Additionally, the researchers pointed out that Apple patched a similar zero-day vulnerability in August this year. “We cannot confirm whether this chain was used to deliver an equivalent of LANDFALL to iOS, or whether it is the same threat actor behind the two,” Unit 42 wrote.

“However, this parallel development in the iOS ecosystem, combined with the disclosure of the Samsung and Apple vulnerabilities just a few weeks apart, highlights a broader pattern of DNG image processing vulnerabilities being leveraged in sophisticated mobile spyware attacks,” it added.

In September this year, Apple announced that it had made a series of changes to its A19 and A19 Pro chips, operating system, and development tool in order to prevent the latest iPhone 17 lineup from being compromised in attacks by Pegasus-like spyware.

This spyware protection tool, known as Memory Integrity Enforcement (MIE), has been built to detect and patch security exploits in device memory, making it harder for threat actors to compromise iPhones using sophisticated spyware like Pegasus, according to Apple.