Palo Alto Networks today revealed a sophisticated, previously unreported commercial-grade spyware operation, dubbed LANDFALL, that exploited an unpatched zero-day vulnerability in Samsung Galaxy phones to conduct full surveillance on high-value targets.

Researchers from the company's threat intelligence team, Unit 42, uncovered the full details of the campaign, which employed a critical zero-day flaw, CVE-2025-21042, in Samsung’s image processing library. The vulnerability was actively exploited in the wild for months, beginning in mid-2024, before Samsung issued a patch in April 2025.

The LANDFALL spyware was delivered via a maliciously crafted DNG (raw) image file, which strongly appears to have been sent over WhatsApp. This delivery method is a zero-click exploit, meaning it likely required no user interaction to compromise devices. It is part of a growing trend of attacks targeting mobile image processing libraries, similar to recently disclosed campaigns against other mobile platforms.

LANDFALL is highly potent, enabling comprehensive digital surveillance. Once deployed on targeted Samsung Galaxy models (including the S22, S23, S24, and Fold/Flip series), the spyware facilitated microphone recording, location tracking, and the exfiltration of sensitive data such as photos, contacts, and call logs.

The evidence points to a targeted campaign against individuals in the Middle East, specifically in Iraq, Iran, Turkey, and Morocco. The tradecraft and infrastructure links bear the hallmarks of a Private-Sector Offensive Actor (PSOA)—the commercial spyware industry.

“Our research provides a rare look back at this sophisticated, undetected operation that was active for months before a fix was available,” said a Unit 42 spokesperson. “The discovery of LANDFALL underscores the continuous threat posed by commercial spyware and the critical need for robust mobile threat defenses, particularly against zero-day exploits delivered through common communication platforms.”

While the vulnerability is now patched, the Unit 42 analysis sheds light on the advanced techniques used by commercial spyware vendors. Palo Alto Networks continues to monitor these sophisticated threats to protect global digital infrastructure.