A months long hacking campaign has come to light after security researchers discovered a serious Android vulnerability that was exploited to install a new spyware called Landfall on Samsung Galaxy phones. The attack is believed to have affected users in the Middle East.
Experts at Unit 42, supported by a cybersecurity firm, said on November 7 that attackers used an unknown Android security flaw to inject the spyware into Galaxy devices. It was a zero day attack, meaning Samsung did not know about the flaw at the time. Similar to Pegasus, Landfall is a zero click spyware. It can infect a phone without any action from the victim. A single malicious image sent through a messaging app was enough to compromise the device.
The spyware’s source code showed five Galaxy models as likely targets. These included the Galaxy S22, S23, S24 and some Z series models. The same Android security flaw was also found in other Galaxy phones running Android versions 13 through 15.
Samsung fixed the flaw in April this year. However, Landfall had been active since mid 2024 and was first detected in July last year. Unit 42 said, “LANDFALL remained active and undetected for months.” The group added that the flaw, listed as CVE 2025 21042, was part of a pattern of similar issues seen across different mobile platforms.
Landfall is a commercial grade spyware that can collect photos, contacts and call logs. It can also activate the microphone and track the victim’s location. According to the researchers, the spyware is delivered through manipulated DNG image files that take advantage of the critical zero day vulnerability in Samsung’s image processing library. Samples of the spyware were found on VirusTotal from people in Morocco, Iran, Iraq and Turkey between 2024 and 2025.
The exact vendor behind Landfall is not confirmed. Researchers noted that its digital infrastructure resembled that of Stealth Falcon, a known spyware provider. They also said the attacks were targeted and not widespread. This suggests a precision operation likely linked to state backed espionage. It was used mainly for intrusion activities in the Middle East. The group also found similarities with older attacks on journalists, activists and dissidents in the UAE dating back to 2012.
The researchers also noted that Apple patched a similar zero day flaw in August this year. They could not confirm whether an iOS version of Landfall existed or if the same threat actor was behind both attacks. They said the timing of the Samsung and Apple fixes suggested a wider trend of DNG based vulnerabilities being used in advanced spyware campaigns.
In September this year, Apple announced several updates to protect the latest iPhone 17 series from Pegasus like threats. The new Memory Integrity Enforcement tool is designed to detect and fix memory exploits, making it harder for attackers to compromise iPhones with sophisticated spyware.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
