One Photo — and the Smartphone is Compromised. A Virus that Spied on Samsung Users for Years Using a 0-day Uncovered
The era of "secure Android" ended with the discovery of Landfall.
The era of "secure Android" ended with the discovery of Landfall.
A new generation of spyware operated for nearly a year, hiding inside Samsung Galaxy smartphones and exploiting a vulnerability the manufacturer was unaware of. Researchers from Palo Alto Networks Unit 42 reported that the malware, named Landfall, exploited a critical flaw in Samsung's image processing library and installed a full-fledged surveillance system: it intercepted calls, tracked locations, copied photos and system logs, leaving no trace on the screen. The issue was only fixed in April when the company released a security update that patched the hole, tracked as CVE-2025-21042.
According to analysts, the infections began in July 2024 and affected models running Android 13–16. The vulnerability allowed attackers to send specially crafted images that triggered the malware without any user interaction—a so-called "zero-click" attack. For this to happen, the image just needed to reach the device via a messenger or email client, after which the infection process occurred automatically. Analysts suggest that the campaign targeted specific smartphones in Middle Eastern countries, including Iraq, Iran, Turkey, and Morocco, indicating a carefully planned operation.
Landfall belongs to the commercial class of spy tools, comparable in functionality to systems like Pegasus or Predator. After installation, it hid within the system, collected device identifiers, contacts, messages, and multimedia files, and could also record conversations and transmit the collected data to remote servers. The malware's architecture is modular: each component performs its own task—from deployment to data exfiltration—which facilitates updates and adaptation to different versions of Android.
Researchers discovered Landfall while analyzing a chain of other vulnerabilities related to image processing in mobile systems. In August 2025, Apple patched a similar bug in the ImageIO framework that allowed arbitrary code execution on iPhones and iPads. Almost simultaneously, Meta warned about sophisticated attacks via WhatsApp that used a combination of this bug with another flaw in the messenger. During the same period, the WhatsApp team provided Samsung with information about another vulnerability related to the DNG format, and in September, the corporation closed the gap, tracked as CVE-2025-21043.
Despite the similarities in exploitation mechanisms, Unit 42 has not yet found direct evidence that Landfall was used in conjunction with these three vulnerabilities.
It is assumed that all these incidents could be part of a larger wave of attacks exploiting bugs in DNG image parsing to deploy mobile spies on different platforms. Since the last similar exploit chains were recorded in August and September, it can be considered that the activity of this series of campaigns continued until the autumn of 2025. There is currently no data on the ongoing use of CVE-2025-21042, but the emergence of new variants using the same methods in the future is not ruled out.
Landfall's infrastructure was found to be similar to networks previously linked to the Stealth Falcon group. Its activity has been tracked since 2012, with victims at various times including journalists, activists, and opposition figures from Gulf countries. Researchers emphasize that similar domain patterns and registration methods do not provide grounds for definitive conclusions about attribution, but the nature of the tooling and the quality of its implementation suggest the group has access to serious resources—most likely pointing to a state-level structure rather than cybercriminals.