Cyberwarfare / Nation-State Attacks,
Endpoint Security,
Fraud Management & Cybercrime
Spyware Targets Samsung Galaxy Devices, Reports Unit 42
Security researchers have identified a new type of commercial spyware, known as “Landfall,” that targets Samsung Galaxy device users in the Middle East. The suspected threat actor is believed to have connections to entities in the United Arab Emirates. This revelation was made public by Palo Alto Networks’ Unit 42, who highlighted specific vulnerabilities in the devices.
The exploits were discovered during an investigation into a zero-day flaw tracked as CVE-2025-21042. This vulnerability allowed the embedding of malware within a DNG image file, which could be sent to victims via platforms like WhatsApp. Notably, this attack does not require any user interaction, making it a zero-click exploit.
Unit 42 did not specifically attribute the attack to a known group; however, they noted similarities between Landfall’s command-and-control infrastructure and registered domains related to Stealth Falcon, a threat group with potential ties to the UAE government.
The origins of the spyware may trace back to a vendor named Variston, based in Barcelona, which recently ceased operations. While concrete links remain uncertain, Unit 42 indicates that the components of the spyware suggest involvement from Variston, known previously to have provided tools to UAE clients.
Once a device is compromised, Landfall transforms it into a comprehensive surveillance instrument. The spyware can execute a variety of functions, including recording audio, tracking locations, and exfiltrating sensitive information such as photos, contacts, and call logs.
Unit 42’s investigation was prompted by earlier findings where a similar vulnerability in iOS devices, tracked as CVE-2025-43300, was mitigated by Apple. This vulnerability also exploited DNG image processing, suggesting a growing trend where DNG-related flaws are utilized for sophisticated spyware attacks across multiple platforms.
While it remains unclear if the same threat actor is responsible for both the Samsung and iOS vulnerabilities, the concurrent disclosures shed light on a broader pattern of exploitation involving mobile image processing. This situation underscores the importance for organizations to remain vigilant and enhance their cybersecurity protocols to defend against evolving threats.
