top of page
Search

The spyware known as LANDFALL

  • Writer: Matthew Parish
    Matthew Parish
  • 5 minutes ago
  • 5 min read
ree

In November 2025 cybersecurity researchers publicly disclosed a sophisticated new family of Android-targeted spyware, codenamed LANDFALL, which exploits a zero-day vulnerability in certain flagship Samsung Galaxy devices. The campaign stands out for its use of malformed image files (DNG format) delivered with minimal or potentially no user interaction, the high level of surveillance capability embedded within the spyware framework, and indications of regional targeting and private sector offensive actor involvement. In what follows we study the technical mechanisms of LANDFALL, its capabilities, its strategic and geopolitical implications, some attribution evidence, and finally what lessons it holds for mobile security in the context of state-grade surveillance tools.


Technical mechanism: zero-day, DNG images and the exploit chain


LANDFALL leverages a zero‐day vulnerability tracked as CVE‑2025‑21042, an out-of-bounds write flaw in Samsung’s image-processing library libimagecodec.quram.so, which is used for decoding DNG (“Digital Negative”) image files on Samsung Galaxy devices.  Because the flaw resides in a core image-codec library, any application that processes untrusted images could serve as a vector. This enabled remote code execution (RCE) when the vulnerable library processed malicious crafted DNG image files. 


Samsung issued a patch in April 2025 addressing this vulnerability. 


The initial deployment of LANDFALL was via malformed DNG image files, typically disguised with filenames like “WhatsApp Image …” and delivered via messaging apps (likely WhatsApp). The malicious files contained an embedded ZIP archive appended to the DNG data; when processed, the exploit chain triggered the vulnerability, extracted the payloads, and executed the loader. 


In many cases, the attack appears to require no click from the victim (“zero-click”) or minimal interaction, because simply processing the image by the system triggered the exploit. 

The timeline indicates that samples of these malformed image files first appeared on VirusTotal (a malware scanner) from July 2024 onward — months before patching or public disclosure. 


Spyware framework and capabilities


Once the exploit succeeds, the LANDFALL framework installs a modular spyware system. Key components include:


  • A loader file (named b.so) which acts as the main backdoor, internally referred to as “Bridge Head”. 


  • A second module (l.so) which manipulates SELinux policy to grant elevated privileges and persistence on the device. 


The capabilities of LANDFALL include comprehensive surveillance functions:


  • Audio recording via the microphone. 


  • Location tracking and GPS data collection. 


  • Access to photos, call logs, contacts, SMS, installed apps. 


  • Anti-analysis / evasion techniques (for example detection of debugging tools, hooking frameworks). 


  • Command and control (C2) infrastructure using HTTPS over non-standard ports, domains masquerading as benign. 


Target devices and geographic focus


The malware is engineered specifically for Samsung Galaxy devices, including models such as the S22, S23, S24 series and the Z Fold4 / Z Flip4. Sample data and infrastructure point to targets in the Middle East and North Africa (Iraq, Iran, Turkey, Morocco) as potential victims. 


While broader exploitation cannot be ruled out, the evidence suggests targeted, high-value individuals rather than mass distribution. 


Commercial spyware and the private sector offensive actors (PSOAs)


One of the notable features of LANDFALL is that it appears to be “commercial-grade spyware” — that is, a tool likely developed by a private vendor and deployed for espionage purposes, sold or licensed to one or more clients (states or state-aligned actors). The debug terminology (“Bridge Head”), infrastructure similarities and targeting pattern all suggest links to known spyware vendor frameworks such as those used by organisations like NSO Group, Cytrox and Variston. 


This raises questions regarding oversight, regulation and accountability of commercial spyware. The deployment of such a tool against targeted individuals in states with contested human rights records adds to the broader concern about surveillance abuse.


The danger of zero-click mobile exploitation


LANDFALL highlights a growing problem: mobile devices are increasingly the target of sophisticated zero-click or near-zero-click exploits. The device may become compromised without the user performing any obvious risky action. The use of image-processing libraries (for DNG files) as a vector is particularly insidious because images are ubiquitous and often auto-displayed or processed by messaging apps and the OS with minimal user intervention.  The pervasiveness of messaging apps like WhatsApp, combined with this delivery method, means high-value targets such as activists, journalists, dissidents or diplomats may be particularly vulnerable.


Implications for geopolitical surveillance and digital security


Given the regional focus (Middle East, North Africa), LANDFALL appears to be part of a surveillance system where mobile devices serve as rich intelligence targets: immediate access to location, calls, contacts, media and real-time communications. In a broader context, controlling access to an individual’s phone can be tantamount to controlling much of their digital and real-world life. For countries like Ukraine the lesson is that modern conflict arenas increasingly involve surveillance as much as kinetic engagements. Mobile device compromise can influence diplomatic manoeuvres, intelligence flows and even battlefield communications.


Attribution and unresolved questions


While the technical details of LANDFALL are well documented, the attribution remains unresolved. Researchers at Palo Alto Networks’ Unit 42 note that the infrastructure shows similarities to that used by the group Stealth Falcon (linked to the United Arab Emirates) but emphasise that the evidence is not sufficient to definitively attribute the campaign. 

There is also an absence of public data on who the actual operator(s) or buyer(s) of the tool were, or exactly how many victims there have been. The modular design and commercial traits suggest it may have been sold to multiple end-users or customers. Moreover the ability of states or state-aligned actors to purchase such tools raises questions around export control, legal frameworks, and oversight of such surveillance capabilities.


Mitigations and lessons learned


From a defensive and policy perspective the emergence of LANDFALL yields several lessons:


  • Patch-management and mobile hardening: The exploit relied on a vulnerability in the image processing library that was patched in April 2025. Devices that remained unpatched were vulnerable. Organisations must ensure timely application of updates and security maintenance releases. 


  • Restrict media auto-processing in high-risk environments: Since the delivery vector was often a message with an image file, disabling auto-download of images in messaging apps (especially for high-value users) reduces risk. 


  • Mobile threat detection and anomaly monitoring: Given that even well-protected devices may fall victim to zero-click exploits, defenders should deploy mobile-endpoint detection, network anomaly monitoring, identify command-and-control domains, and maintain visibility into device behaviour. 


  • Awareness of commercial spyware threat-model: The fact that a private vendor-style spyware tool is in use underscores that defenders must consider not only state-sponsored espionage frameworks but also private-sector offensive actors. Legal, ethical and policy frameworks must keep pace with such developments.


  • Operational security for high-risk individuals: Journalists, dissidents, activists, diplomats and others may constitute high-value targets for surveillance. Mobile device use by such individuals must be treated as sensitive, with strict controls and fallback arrangements.


The LANDFALL spyware campaign marks an important milestone in the evolution of mobile espionage tools: a zero-click exploit chain using image files, directed at modern flagship Android devices, with commercial-grade modular spyware delivering real-time surveillance. For organisations concerned with cybersecurity and for states grappling with the implications of mobile compromise, the case highlights the convergence of technology vulnerability, surveillance ambition and geopolitical risk. In theatres such as Ukraine, where digital communications, mobile devices and battlefield intelligence are intimately linked, awareness of such threats is as vital as traditional kinetic defence.


As the technical details continue to emerge and as attribution becomes clearer, LANDFALL will surely become a case-study in how mobile platforms are being weaponised. Those at risk of cyber attack must adopt a posture of mobile resilience, timely patching, secure messaging practices and readiness for a world in which the smartphone is both a battlefield and a target. A final lesson is that as mobile phones develop in sophistication, with customers always wanting the latest models, ever new pitfalls in their technology will be found by resourceful hackers.

 
 

Note from Matthew Parish, Editor-in-Chief. The Lviv Herald is a unique and independent source of analytical journalism about the war in Ukraine and its aftermath, and all the geopolitical and diplomatic consequences of the war as well as the tremendous advances in military technology the war has yielded. To achieve this independence, we rely exclusively on donations. Please donate if you can, either with the buttons at the top of this page or become a subscriber via www.patreon.com/lvivherald.

Copyright (c) Lviv Herald 2024-25. All rights reserved.  Accredited by the Armed Forces of Ukraine after approval by the State Security Service of Ukraine. To view our policy on the anonymity of authors, please click the "About" page.

bottom of page