New Landfall spyware apparently targeting Samsung phones in Middle East
A new commercial-grade spyware has apparently been targeting Samsung Galaxy phones in the Middle East, but it’s not clear who’s behind it, researchers said in a blog post Friday.
Whoever’s responsible, they seized upon a previously unknown, unpatched vulnerability known as a zero-day — a flaw Samsung has since closed, the researchers from Palo Alto Networks’ Unit 42 said.
The company dubbed the spyware “Landfall.” The research indicates potential targets in Iran, Iraq, Morocco and Turkey, the blog post states. It’s a campaign that has been underway since at least the middle of 2024, pointing to the spyware’s ability to remain hidden.
Landfall is embedded in malicious DNG image files that seem to have been sent via WhatsApp, although there is no indication of any new vulnerability with that messaging platform. WhatsApp has been fighting spyware on another front, in a ground-breaking legal battle against leading spyware vendor NSO Group.
It doesn’t appear to require any interaction with victims, a kind of exploit called “zero-click.” Once it infects a phone, Landfall has the kind of sweeping surveillance capabilities found in spyware sold by industry vendors, capable of activating microphone recording or collecting photos and contacts.
“We believe the focus on Samsung Galaxy devices stems from the attackers exploiting a Samsung-specific image-processing zero-day, so the tooling was built for that environment,” Itay Cohen, senior principal researcher at Unit 42 told CyberScoop in an emailed comment. “That said, we think we’re only seeing part of the activity. This isn’t isolated — this campaign delivering LANDFALL appears to be part of a broader DNG exploitation wave that also hit iPhone devices via a different zero-day. It’s also possible that other mobile vendors were targeted using undiscovered vulnerabilities to deliver the same or similar implants.”
The spyware specifically targets S22, S23, S24 and Fold/Flip Samsung devices.
There are some potential clues as to who might be involved, but all of them are inconclusive, Palo Alto Networks said.
Landfall’s command and control infrastructure and domain registration patterns share similarities with a group known as Stealth Falcon, which has suspected links to the United Arab Emirates government.
“As of October 2025, except in infrastructure, we have not observed direct overlaps between the mobile campaigns of LANDFALL and the endpoint-based activity from Stealth Falcon, nor direct strong links with Stealth Falcon,” Palo Alto Networks wrote. “However, the similarities are worth discussion.”
Samsung did not immediately respond to a request for comment.
