Newly identified Android spyware appears to be from a commercial vendor

Security researchers on Friday revealed the discovery of “commercial grade” spyware used in a 9-month-long hacking campaign aimed at Samsung Galaxy phones likely concentrated in the Middle East.

The Android spyware, dubbed LANDFALL, exploited a zero-day, or previously undocumented, vulnerability in Galaxy phones’ image processing libraries. The spyware was likely sent via the WhatsApp messaging platform to exfiltrate data and snoop on targets. 

LANDFALL, which may have been zero-click, allowed microphone recording, location tracking, call recording, collection of photos and text message, contacts and call history exfiltration, according to researchers at Palo Alto Networks’ Unit 42. Zero-click spyware requires no direct action from a device user.

The security flaw was patched in April 2025 and has been tracked as CVE-2025-21042. The hackers sent victims malformed Digital Negative (DNG) images — a form of TIFF image files. The images had an “embedded ZIP archive appended to the end of the file” that exploited the bug. Unit 42 said. 

The campaign shares “tradecraft patterns” and infrastructure with commercial spyware operations in the Middle East, suggesting potential ties to private sector manufacturers, the researchers said in a blog post.

The vendor and government behind LANDFALL remain unknown and it is not clear how many people were targeted, according to Unit 42. Researchers there believe the campaign was designed for snooping.

"This was not mass-distributed malware but a precision attack,” said Itay Cohen, a senior principal researcher at Unit 42. “The sophisticated infrastructure, bespoke payload design, and use of zero-day vulnerabilities are all hallmarks of an espionage-motivated operation, not a financial or consumer-scale campaign."

LANDFALL’s command and control infrastructure and domain registration patterns are similar to 

those used by Stealth Falcon, a hacking group with strong ties to the United Arab Emirates, the researchers said. Stealth Falcon has been tied to dozens of spyware cases involving countries in Africa and the Middle East.

There are no “direct overlaps” between LANDFALL’s mobile campaigns and the “endpoint-based activity from Stealth Falcon, nor direct strong links with Stealth Falcon,” the blog post said. “However, the similarities are worth discussion.”

The LANDFALL samples the researchers found were submitted to the VirusTotal repository in 2024 and 2025, the researchers said, indicating potential targets in Iraq, Iran, Turkey and Morocco.

Turkey's cyber readiness team, known as USOM, also reported IP addresses used by LANDFALL's command and control servers as malicious, suggesting possible Turkish victims, the researchers said.

The vulnerability was privately reported to Samsung in September 2024 but the company did not release a firmware update to fix it until April 2025, the researchers said. Samsung did not respond to a request for comment.

Targeted device models include the Galaxy ZFOLD4, Galaxy ZFlip4 and S22, 23 and S24 Series, according to the blog post.