Unidentified Spy Software Targets Certain Android Devices
An unexposed family of Android spy software, known as LANDFALL, has been taking advantage of a loophole in certain Android devices for almost a year. This invasive program is capable of recording calls, tracking locations, and collecting photos and logs. The issue was only recently addressed and fixed.
The surveillance activity likely started in the middle of last year and leveraged a critical flaw in an image-processing library that affects certain Android devices running versions 13 through 16. This was discovered by a team of cybersecurity researchers who found this commercial-grade spyware and disclosed details of the targeted attacks.
Specific Devices in the Middle East Targeted
"This was a careful surveillance operation, aiming at certain devices in the Middle East, with potential victims in Iraq, Iran, Turkey, and Morocco," said a senior principal researcher. "The use of exploits, custom infrastructure, and modular payload design all suggest an operation driven by espionage."
According to the cybersecurity experts, exploiting the flaw likely included sending a malicious image to the victim's device using a messaging application in a "zero-click" attack. This means that infecting targeted phones didn't need any action from the user.
Unclear Number of Targeted Users
"It's uncertain exactly how many individuals were targeted or exploited, but in a recent, similar campaign, less than 200 were targeted, so we can reasonably expect this to be a similar, very targeted volume," the researcher said.
The use of exploits, custom infrastructure, and modular payload design all suggest an operation driven by espionage
The cybersecurity team initially discovered LANDFALL while investigating two similar cases. In one instance, a critical issue in the framework used in certain devices had already been exploited in "extremely sophisticated" attacks.
During the same period, a warning was issued that attackers may have linked a bug in a popular messaging app with this device level flaw "in an advanced attack against specific targeted users."
Similarities but No Direct Connection
Despite the similarities between all of these attack chains, the researchers say they cannot definitively link LANDFALL to the other two cases.
"We don't have evidence to confirm that LANDFALL was used in conjunction with the other two cases, nor can we say the same actor was responsible," the researcher stated. "However, the close timing, delivery method, and clear technical parallels point to a broader wave of image-parsing exploitation being used in advanced mobile spyware operations."
While the researchers do not believe the flaw is still being exploited, "related exploit chains impacting certain devices were seen as recently as a couple of months ago, indicating that similar campaigns remained active until very recently," the researcher added.
Spied Upon Without Knowledge
Once deployed on a victim's device, LANDFALL is designed with the usual advanced spyware capabilities to remain hidden while collecting data, including the ability to record calls, collect contacts and messages, and access photos and other files.
Unclear Who is Behind the Spying
While the researchers do not have sufficient evidence to definitively say who was behind the spying or developed the spyware, they do note that LANDFALL's control and domain registration patterns share similarities with a group known as Stealth Falcon. This group may have ties to a certain government and has conducted targeted spyware attacks against journalists, activists, and dissidents since at least 2012.
"The technical overlaps are interesting but not strong enough for responsible attribution," the researcher said. "What's clear is that the craft, tooling quality, and target-specific tailoring point to a highly resourced operator, not a criminal group."