NextFin news, researchers from Palo Alto Networks’ Unit 42 recently unveiled a sophisticated commercial spyware campaign dubbed “Landfall” that targeted Samsung Galaxy smartphones worldwide, remaining active for nearly a year. Emerging in July 2024 and exploiting a critical zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library, Landfall enabled remote code execution through specially crafted malformed Digital Negative (DNG) image files embedded with malicious payloads. This exploit allowed the spyware to infiltrate devices without any user interaction — a zero-click attack delivered primarily via messaging platforms such as WhatsApp.
Unit 42’s detailed analysis confirms that Landfall specifically targeted high-end Samsung models — including Galaxy S22, S23, S24, and foldable variants like Z Fold 4 and Z Flip 4 — suggesting a highly tailored campaign. The attack’s infrastructure and operational patterns suggest links to commercial spyware vendors in the Middle East, with probable deployment against users located in Iraq, Iran, Turkey, and Morocco. Notably, Samsung patched the underlying vulnerability in an April 2025 software update, and a subsequent related zero-day (CVE-2025-21043) was remediated in September 2025, reducing the ongoing risk to Samsung users.
Technically, Landfall leverages the vulnerability in Samsung’s image processing library "libimagecodec.quram.so," extracting embedded shared object (.so) libraries from the malicious DNG files to deploy its multi-component spyware modules. This includes a loader (b.so) that establishes persistence, a SELinux policy manipulator (l.so) to escalate permissions, and modules enabling comprehensive surveillance. The spyware can exfiltrate sensitive information including call logs, contacts, messages, images, as well as activate device features like microphones and cameras remotely. Its communication with command-and-control servers employs encrypted HTTPS traffic, implementing certificate pinning and anti-debugging defenses to evade detection and analysis.
The discovery follows parallel zero-day exploit disclosures in Apple iOS and WhatsApp in 2025 that similarly leveraged vulnerabilities in DNG image processing to deploy spyware through messaging apps, underscoring an accelerating trend in cross-platform exploitation targeting mobile multimedia libraries. Unit 42’s research uniquely traces Landfall’s usage back to mid-2024, revealing an extended period where high-value Samsung devices were silently surveilled before detection.
This incident sheds light on the evolving commercial spyware ecosystem prominently operating in sensitive geopolitical regions. The malware’s sophisticated evasion tactics, modular design, and multi-faceted data extraction capabilities align with the operational profiles of private-sector offensive actors (PSOAs) supplying state or proxy surveillance services. While no direct attribution to specific governments has been confirmed, overlaps with infrastructure linked to groups like Stealth Falcon—known for targeting journalists and dissidents in the Gulf—suggest possible ties.
From a cybersecurity perspective, Landfall illustrates the severe risk posed by zero-day vulnerabilities in widely-used third-party libraries such as image codecs embedded in mobile operating systems. The zero-click delivery vector dramatically lowers the attack’s detectability and increases weaponization potential against unsuspecting targets. Given Samsung’s global market share (approaching 20% of all smartphones), the impact scope, especially among flagship users in targeted regions, is substantial.
Economically and operationally, the campaign reflects a growing commoditization and outsourcing of offensive cyber capabilities within the commercial spyware industry, fueling a market prone to illicit surveillance and rights abuses. This challenges traditional defensive paradigms reliant on timely patching, demanding augmented anomaly detection tailored to behavioral patterns of zero-click spyware and enhanced collaboration between vendors, platform providers, and intelligence entities.
Looking forward, the Landfall case underscores several critical industry trends. First, multimedia processing libraries will remain attractive targets for zero-day exploitation given their ubiquitous presence and complex attack surfaces across mobile ecosystems. Second, messaging platforms with auto-media download features serve as effective covert delivery mechanisms for stealthy attacks. Third, advances in anti-analysis protections embedded within modular spyware complicate detection and remediation, necessitating continuous innovation in endpoint security and threat intelligence.
To mitigate future risks, stakeholders should prioritize rapid vulnerability disclosure and coordinated patch deployments to minimize exploitable windows. Users, especially in high-risk regions, are advised to enforce strict update policies, disable automatic media downloads on messaging apps, and monitor permissions and application behavior vigilantly. Industry-wide, strengthening secure coding practices in multimedia library development and integrating runtime anomaly detection will be essential components of resilient mobile security architectures.
According to Palo Alto Networks' Unit 42 report, Landfall’s extended undetected presence exemplifies the severity of mobile zero-day spyware threats and highlights the urgent need for comprehensive operational, technical, and policy responses to counter the proliferation of commercial-grade espionage tools on critical mobile platforms.
Explore more exclusive insights at nextfin.ai.
