Safety researchers uncovered a vulnerability that was exploited to inject a brand new sort of adware known as ‘Landfall’ in Samsung Galaxy telephones as a part of a months-long hacking marketing campaign doubtlessly focusing on victims within the Center East.
The attackers relied on an Android OS safety flaw to deploy the adware and compromise Galaxy smartphones, researchers at Unit 42, backed by cybersecurity agency Palo Alto Networks, stated in a weblog publish on November 7. It was a zero-day assault, that means that Samsung didn’t know in regards to the vulnerability on the time.
Much like the NSO Group’s Pegasus, Landfall is zero-click. Because of this the adware might be efficiently delivered to focus on telephones with out requiring any motion from the victims’ finish. Merely sending a maliciously crafted picture to a sufferer’s cellphone, seemingly delivered via a messaging app, might be sure that the system is contaminated by Landfall, as per the researchers.
The adware’s supply code pointed to 5 Galaxy fashions as potential targets, specifically: the Samsung Galaxy S22, S23, S24, and a few Z fashions as nicely. The researchers additionally discovered the Android safety flaw in different Galaxy gadgets, and stated that gadgets working Android variations 13 via 15 might have been affected too.
In response, Samsung patched the safety flaw exploited to deploy the adware in April this yr. Nevertheless, Landfall was first detected in July final yr and the marketing campaign was operational since mid-2024.
“LANDFALL remained energetic and undetected for months,” Unit 42 stated. “The precise flaw LANDFALL exploited, CVE-2025-21042, will not be an remoted case however reasonably a part of a broader sample of comparable points discovered on a number of cell platforms,” it added.
What’s Landfall adware? Who’s behind it?
Much like different commercial-grade adware, Landfall is able to finishing up complete surveillance of its victims by vacuuming up on-device knowledge equivalent to images, contacts, and name logs, in addition to tapping the system’s microphone and monitoring its exact location.
Story continues beneath this advert
“The adware is delivered via malformed DNG picture information exploiting CVE-2025-21042—a crucial zero-day vulnerability in Samsung’s picture processing library, which was exploited within the wild,” the researchers stated. Unit 42 stated its researchers analysed varied adware samples that had been uploaded to VirusTotal, a malware scanning service, by folks situated in Morocco, Iran, Iraq, and Turkey between 2024 to 2025.
Whereas the adware vendor that developed Landfall will not be recognized for sure, the researchers discovered that Landfall was hosted on digital infrastructure just like that of a widely known adware vendor known as Stealth Falcon. Different particulars equivalent to the precise variety of people that have been doubtlessly focused as a part of the marketing campaign are unclear.
Who have been the seemingly targets of Landfall adware?
Unit 42 researchers stated that Landfall had been used to hold out “focused intrusion actions inside the Center East”.
Additionally they discovered proof that instructed the adware was not mass-distributed like malware. As a substitute, the attackers undertook a “precision assault” on particular people, indicating that it was seemingly a government-backed espionage marketing campaign, Itay Cohen, a senior principal researcher at Unit 42, was quoted as saying by JHB.
Story continues beneath this advert
Researchers stated that there was not sufficient proof to obviously state {that a} authorities buyer of Landfall was behind the hacking marketing campaign. However they discovered that the Landfall hacking marketing campaign shared a number of similarities with earlier adware assaults in opposition to journalists, activists, and dissidents within the UAE going again to 2012.
Had been iPhone customers additionally focused by Landfall?
Moreover, the researchers identified that Apple patched an identical zero-day vulnerability in August this yr. “We can’t verify whether or not this chain was used to ship an equal of LANDFALL to iOS, or whether or not it’s the identical risk actor behind the 2,” Unit 42 wrote.
“Nevertheless, this parallel improvement within the iOS ecosystem, mixed with the disclosure of the Samsung and Apple vulnerabilities just some weeks aside, highlights a broader sample of DNG picture processing vulnerabilities being leveraged in subtle cell adware assaults,” it added.
In September this yr, Apple introduced that it had made a collection of modifications to its A19 and A19 Professional chips, working system, and improvement software in an effort to stop the newest iPhone 17 lineup from being compromised in assaults by Pegasus-like adware.
Story continues beneath this advert
This adware safety software, referred to as Reminiscence Integrity Enforcement (MIE), has been constructed to detect and patch safety exploits in system reminiscence, making it more durable for risk actors to compromise iPhones utilizing subtle adware like Pegasus, in line with Apple.