Executive Summary
In early 2024, cybersecurity researchers uncovered a sophisticated mobile surveillance campaign targeting Samsung Galaxy users through a malware strain dubbed 'Landfall.' Delivered primarily via malicious apps and phishing schemes, Landfall granted attackers covert access to device microphones, cameras, geolocation, and sensitive stored data. The threat actors capitalized on advanced evasion tactics to remain undetected, enabling them to record conversations, track user locations, collect photos, and exfiltrate contacts without the victims’ knowledge. The incident highlights the growing complexity of targeted mobile threats and the operational risks facing organizations with a mobile workforce.
With the rise of mobile malware like Landfall exploiting modern smartphones’ vast attack surface, security teams must reassess their controls for device management, east-west traffic monitoring, and policy enforcement. This case underscores the urgency for enterprises to adopt zero trust defenses and adapt to evolving mobile threat tactics.
Why This Matters Now
The Landfall malware campaign demonstrates how targeted, high-capability mobile threats are bypassing basic protections and compromising sensitive business and personal data. As mobile device usage continues to surge—especially for remote and hybrid work—urgent action is required to strengthen mobile endpoint security and enforce segmentation, detection, and egress policies.
Attack Path Analysis
Attackers began by delivering the 'Landfall' malware to Samsung Galaxy devices—likely via malicious apps or phishing—gaining initial access for surveillance. Privilege escalation followed, with the malware seeking permissions to access sensitive functions. The threat then pivoted within the device, moving laterally to access contacts, media, and other private data. Ongoing command and control was maintained through covert channels, enabling continuous collection and remote actions. Exfiltration was achieved as recorded conversations, locations, photos, and contacts were sent to attacker infrastructure. The ultimate impact included undetected surveillance, data theft, and compromise of user privacy.
Kill Chain Progression
Initial Compromise
Description
The attacker delivered 'Landfall' malware to Samsung Galaxy devices, likely through malicious apps, phishing, or drive-by downloads.
Related CVEs
CVE-2025-21042
CVSS 8.8An out-of-bounds write vulnerability in Samsung's image processing library (libimagecodec.quram.so) allows remote code execution via malicious DNG image files.
Affected Products:
Samsung Galaxy S22 – Android 13, Android 14, Android 15
Samsung Galaxy S23 – Android 13, Android 14, Android 15
Samsung Galaxy S24 – Android 13, Android 14, Android 15
Samsung Galaxy Z Fold4 – Android 13, Android 14, Android 15
Samsung Galaxy Z Flip4 – Android 13, Android 14, Android 15
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Credential Access – Input Capture
Access Sensitive Data or Sensors
Audio Capture
Location Tracking
Remote Access Software
Data Transfer to External Actor
Camera Capture
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Stored Account Data
Control ID: 3.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 10
CISA Zero Trust Maturity Model 2.0 – Continuous Monitoring and Risk Assessment
Control ID: Identity Pillar: Device Security Monitoring
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Samsung Galaxy malware poses critical risks to mobile infrastructure, requiring encrypted traffic capabilities and east-west security for device communication networks.
Financial Services
Mobile malware targeting Galaxy devices threatens financial apps through surveillance capabilities, demanding zero trust segmentation and threat detection compliance measures.
Health Care / Life Sciences
Healthcare organizations face HIPAA violations from Galaxy malware's location tracking and contact collection, necessitating multicloud visibility and policy enforcement.
Government Administration
Government agencies using Galaxy devices vulnerable to surveillance malware collecting sensitive communications, requiring secure hybrid connectivity and anomaly detection.
Sources
- 'Landfall' Malware Targets Samsung Galaxy Usershttps://www.darkreading.com/mobile-security/landfall-malware-targeted-samsung-galaxy-usersVerified
- ‘Landfall’ spyware abused zero-day to hack Samsung Galaxy phoneshttps://techcrunch.com/2025/11/07/landfall-spyware-abused-zero-day-to-hack-samsung-galaxy-phones/Verified
- Commercial spyware “Landfall” ran rampant on Samsung phones for almost a yearhttps://arstechnica.com/gadgets/2025/11/commercial-spyware-landfall-ran-rampant-on-samsung-phones-for-almost-a-year/Verified
- LANDFALL: Android spyware delivered via malicious DNG images to Samsung deviceshttps://insights.integrity360.com/threat-advisories/landfall-android-spyware-delivered-via-malicious-dng-images-to-samsung-devicesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive CNSF controls—like Zero Trust Segmentation, East-West Traffic Security, egress security, and real-time threat detection—would have substantially limited malware proliferation, lateral data access, and sensitive data exfiltration. Applying these controls in a mobile/cloud environment constrains attacker movement, enforces least privilege, and provides rapid anomaly detection to contain advanced threats like Landfall.
Control: Threat Detection & Anomaly Response
Mitigation: Detection of anomalous app downloads or malicious network traffic at entry points.
Control: Zero Trust Segmentation
Mitigation: Limits app-to-service and service-to-service access to enforce least-privilege boundaries.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized internal traffic flows between workloads or cloud services.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents malware from reaching external C2 servers via outbound filtering.
Control: Encrypted Traffic (HPE) & Inline IPS (Suricata)
Mitigation: Detects and blocks malicious or unencrypted exfiltration attempts.
Real-time enforcement and automated response contain emerging threats before data loss escalates.
Impact at a Glance
Affected Business Functions
- Communications
- Data Management
- Location Services
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user data including photos, contacts, messages, call logs, and real-time location information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and east-west traffic controls to limit device-to-cloud and device-to-service movement.
- • Enforce stringent egress filtering and DNS/FQDN policies to block malware command & control and exfiltration paths.
- • Deploy real-time threat detection and anomaly response to surface and act on suspicious app or network behaviors promptly.
- • Apply microsegmentation and least-privilege access for mobile device and backend service communications.
- • Ensure encrypted traffic inspection and inline IPS/IDS are active for all cloud and edge network boundaries to catch covert exfiltration.
