Palo Alto Networks Uncovers Commercial Spyware Targeting Samsung Galaxy Phones

Palo Alto Networks’ threat intelligence team, Unit 42, has identified a sophisticated spyware campaign exploiting a previously unknown zero-day vulnerability in Samsung Galaxy smartphones, allowing attackers to conduct full-scale surveillance on targeted users.

The spyware, named LANDFALL, was uncovered during an investigation into a series of covert attacks that began in mid-2024. The campaign leveraged a vulnerability tracked as CVE-2025-21042 in Samsung’s image processing library, which remained unpatched until April 2025.

According to Unit 42, LANDFALL was delivered via a malicious DNG (raw image) file, likely distributed through WhatsApp. This delivery technique mirrors recent mobile exploitation trends targeting Apple devices. The attack may have been zero-click, requiring no user interaction for infection.

Capabilities and Impact

Once deployed, LANDFALL provided attackers with near-total control over infected phones, enabling them to record audio, access location data, and extract sensitive information such as call logs, photos, and contacts. The campaign primarily targeted individuals in Iraq, Iran, Turkey, and Morocco, with strong indicators linking it to private-sector offensive actors (PSOAs)—commercial spyware developers that sell surveillance tools to government clients.

Researchers described LANDFALL as “commercial-grade spyware” engineered for stealth and persistence across flagship Samsung devices, including the S22, S23, S24, and Fold/Flip series. Its infrastructure and operational patterns closely match those seen in prior state-linked espionage campaigns.

“LANDFALL offers a rare glimpse into a long-running spyware operation that silently compromised consumer devices at scale,” Unit 42 researchers stated. “It highlights the increasing sophistication of mobile surveillance and the urgent need for rapid patch deployment and intelligence sharing.”

Broader Context

The incident demonstrates how mobile zero-days remain lucrative tools for surveillance operations. As smartphone security improves, adversaries are exploiting obscure attack surfaces like image and media parsing libraries—areas that process user-generated content but often lack robust isolation mechanisms.

Samsung addressed the issue in its April 2025 security update. However, analysts emphasise that zero-day detection gaps persist across the mobile ecosystem, leaving high-value targets vulnerable to undisclosed exploits.

The LANDFALL campaign reinforces the importance of continuous mobile threat monitoring, swift patch adoption, and collaboration between vendors and threat intelligence teams to identify and neutralise emerging spyware operations before they escalate.