A sophisticated new commercial-grade spyware, dubbed “Landfall,” has been discovered targeting Samsung Galaxy phones, primarily in the Middle East. Researchers from Palo Alto Networks’ Unit 42 revealed the finding in a blog post on Friday, highlighting the exploit’s use of a previously unknown zero-day vulnerability that has since been patched by Samsung.
The campaign, active since at least mid-2024, has shown indications of targeting devices in Iran, Iraq, Morocco, and Turkey. Landfall’s distribution method appears to involve malicious DNG image files, potentially sent via WhatsApp, although the messaging platform itself is not believed to have a new vulnerability. The spyware possesses potent surveillance capabilities, including the ability to record audio, capture photos, and access contacts, often without requiring any user interaction.
Samsung Galaxy Phones Targeted by Landfall Spyware
The spyware specifically affects several Samsung Galaxy models, including the S22, S23, S24, and Fold/Flip devices. Researchers stated that the attackers exploited a Samsung-specific image-processing zero-day vulnerability, suggesting the tooling was custom-built for this ecosystem. However, it is believed that this is only a portion of a larger operation, as similar DNG exploitation has also been observed targeting iPhone devices via a separate zero-day flaw. Other mobile vendors may also be targets of similar undiscovered vulnerabilities.
The discovery of Landfall raises significant concerns regarding mobile device security and the proliferation of advanced surveillance tools. The zero-click nature of the exploit and its extensive capabilities underscore the evolving threat landscape for smartphone users.
Potential Attribution and Broader Context
While definitive attribution remains elusive, Palo Alto Networks has noted potential links that warrant further investigation. The command and control infrastructure used by Landfall demonstrates similarities to that of a group known as Stealth Falcon, which has been suspected of having ties to the United Arab Emirates government. Researchers noted that as of October 2025, direct overlaps between Landfall’s mobile campaigns and Stealth Falcon’s endpoint activities have not been observed, but the similarities in infrastructure and domain registration patterns are considered significant enough to discuss.
The existence of commercial-grade spyware like Landfall, capable of exploiting zero-day vulnerabilities, highlights the ongoing challenges in cybersecurity. It also points to the commercial viability of such tools for various actors, potentially including state-sponsored entities.
Samsung has not yet released an official statement regarding the Landfall spyware. The cybersecurity community will continue to monitor for any further developments and potential attribution of the actors behind this sophisticated attack. The broader implications for mobile security will likely be a focal point as more details emerge regarding this campaign and its potential reach.