Landfall is a sophisticated, commercial-grade Android spyware family discovered in late 2025 by researchers at Palo Alto Networks’ Unit 42.
It represents a modular, espionage-focused tool designed for comprehensive device surveillance and data exfiltration, primarily targeting high-end Samsung Galaxy smartphones. Unlike consumer malware, Landfall exhibits advanced tradecraft indicative of private-sector offensive actors (PSOAs), with infrastructure patterns suggesting possible ties to Middle Eastern operations, including circumstantial links to groups like Stealth Falcon (associated with the UAE) and vendors such as the now-defunct Variston. The spyware has been actively deployed since mid-2024 in targeted intrusions, particularly against users in regions like Iraq, Iran, Turkey, and Morocco.
Infection Method and Targeting of Samsung Galaxy Phones
Landfall infects devices through a zero-click exploit chain that weaponizes seemingly innocuous images, bypassing user interaction entirely. Attackers embed the payload in malformed Digital Negative (DNG) image files—a raw photo format based on TIFF—by appending a ZIP archive to the file’s end. These images often masquerade with innocuous filenames, such as “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg,” and are likely distributed via messaging apps like WhatsApp.
The core vulnerability exploited is CVE-2025-21042 (also tracked as Samsung’s SVE-2024-1969), a critical out-of-bounds write flaw in Samsung’s proprietary image processing library (libimagecodec.quram.so). When the device automatically processes the tainted DNG file—such as during gallery preview or thumbnail generation—the flaw triggers memory corruption, enabling arbitrary code execution. This allows extraction and loading of embedded components from the ZIP archive, including:
• A primary loader (b.so), an ARM64 ELF shared object that serves as the main backdoor.
• An SELinux policy manipulator (l.so), which disables security enforcement for persistence and elevated privileges.
Affected models include the Galaxy S22, S23, and S24 series, as well as the Z Fold4 and Z Flip4. Samsung patched this zero-day in April 2025 via a security update, but exploitation continued in the wild until at least September 2025, when a related flaw (CVE-2025-21043) was also addressed.
Capabilities and Impact
Once installed, Landfall establishes persistence through techniques like process injection, LD_PRELOAD hijacking, and SELinux policy tweaks, while evading detection via anti-debugging (e.g., checking for Frida or Xposed frameworks), dynamic library loading, and certificate pinning for command-and-control (C2) servers. It communicates with C2 infrastructure over HTTPS on non-standard ephemeral TCP ports, sending initial device fingerprints (e.g., IMEI, IMSI, installed apps, VPN status) and receiving modular payloads for tasks like:
• Surveillance: Real-time microphone and call recording, GPS location tracking.
• Data Exfiltration: Stealing contacts, SMS/MMS, call logs, camera photos, browsing history, and arbitrary files.
• Execution: Running native modules, DEX files, or shell commands; manipulating app directories.
This enables full device takeover, turning the phone into a surveillance beacon for extended periods—potentially months—without alerting the user.
Given the November 2025 timeline, Samsung users should immediately apply the latest security patches to mitigate risks, as unpatched devices remain vulnerable to similar image-based attacks.