What it Landfall spyware
- Landfall is a newly exposed Android spyware campaign, which was discovered by Unit 42, a team within Palo Alto Networks.
- It was leveraging a zero-day vulnerability, tracked as CVE‑2025‑21042, in the image-processing library used by some Samsung Galaxy devices.
- The delivery method: a crafted DNG (“Digital Negative”) image file sent-for example-via a messaging app like WhatsApp. Just receiving the image-or having the system process it-could lead to infection-no action by the user required, “zero-click”.
- Targeted device models include the Galaxy S22, S23, S24 series, and some Galaxy Z Fold/Flip devices running Android 13–15 through Samsung’s One UI versions.
- This campaign has been operational from around the middle of 2024 until its patch in April 2025.
What it can do
- Once installed, Landfall provides a full surveillance suite:
- The ability to exfiltrate contacts, call logs, SMS/messages, browsing history.
- Record audio (microphone), possibly camera, track precise location.
- Manipulate system policies-SELinux, etc. for persistence and stealth.
- Operate without obvious user interaction and are often difficult to detect and remove.
Who is behind it & who was targeted
- The exact threat actor is not attributed, but researchers point out similarities to known surveillance vendor infrastructure-for instance, a group referred to as Stealth Falcon-in the Middle East.
- The victims seem to be targeted ones, rather than a mass spray campaign, probably in countries like Iraq, Iran, Turkey, Morocco.
Why this matters
- It just goes to prove that, with a silent image file exploit, even a trusted and mainstream flagship phone can be compromised — without users ever knowing or suspecting anything.
- Zero-click means traditional precaution- don’t click on strange links-isn’t enough.
- Demonstrates the sophistication of commercial spyware tools for espionage, not just consumer scams.
How to stay safe from Landfall-type spyware
Here are some practical steps you can take to reduce risk:
- Keep your device updated.
- Keep your device OS and security patches up to date. In the case of Samsung, this vulnerability was patched in April 2025.
- Be careful with incoming media/files, even from contacts that you know.
- Even an image file can be malicious. If you receive unexpected or out-of-pattern media, verify with the sender.
- Minimize the exposure of sensitive data on your phone.
- Encryption, secure backups, minimise apps with wide permissions, remove unused apps.
Employ strong device security practices. - Set a strong device lock (PIN, passcode, biometric)
- Enable full-disk encryption (many are on, by default)
- Only use trusted apps; avoid side-loading any suspicious apps.
- Enable security features, where available.
- For Android, utilize security features such as Google Play Protect, app permission auditing
- Messaging apps can be set not to auto-download media, or have auto-processing of incoming attachments disabled.
Consider using a separate device for sensitive tasks if you think you might be a high-value target (e.g. journalist, activist). Use separate phone, separate comms channels. Be aware of the signs of compromise.
Battery drains abnormally fast, unknown apps, strange behaviours-camera/mic activation, etc.-if your phone is running hot, consider the professional audit. Use good communications hygiene. – Use encrypted messaging applications like Signal, etc. – Avoid intricate or hazardous attachments – Limit sharing of device details, location, sensitive information.
For Enterprise/High-Risk Users: Employ MDM solutions, regular threat scans, network monitoring, implant removal samples, or forensic review. Putting all of these steps together greatly reduces your attack surface, and helps ensure that in the event of someone attempting to deploy a piece of spyware like Landfall, your device is far less likely to fall prey.
Stay safe!
Abhijeet is a software engineer who moonlights as a tech writer. His love for gadgets, mobile innovations, and smart devices keeps him closely connected to India’s fast-growing tech scene. When he’s not coding, he’s usually testing the latest earbuds or Android updates.