Samsung Phones Infected by “Landfall” Spyware for Nearly a Year
▼ Summary
– Researchers discovered “Landfall,” a sophisticated spyware targeting Samsung Galaxy phones via a zero-day exploit in Samsung Android software.
– The campaign was active from July 2024 until Samsung patched the vulnerability in April 2025, primarily targeting specific groups in the Middle East.
– Landfall is a zero-click attack that can compromise devices without user interaction, using maliciously modified DNG image files to hide ZIP archives with payloads.
– The spyware was uncovered by Unit 42 while investigating similar exploits in Apple iOS and WhatsApp, leading to the discovery of malicious files on VirusTotal.
– It remains unclear who was behind the attacks, which were designed to steal personal data for surveillance purposes.
Security researchers have uncovered a persistent and highly targeted spyware campaign, codenamed “Landfall,” which specifically infiltrated Samsung Galaxy smartphones for close to a year. According to Unit 42, the threat intelligence division of Palo Alto Networks, this sophisticated operation exploited a previously unknown security flaw within Samsung’s Android software to siphon off extensive personal information. The good news is that Samsung has since released a security update to address the vulnerability, and evidence suggests the attacks were narrowly focused rather than widespread.
The Landfall spyware campaign is believed to have commenced in July 2024, leveraging a specific software weakness identified as CVE-2025-21042. Samsung distributed a corrective patch for its devices in April 2025, though comprehensive details about the malicious activity have only recently come to light.
Most Samsung users need not worry about having been affected. Investigators assess that the operation was likely deployed in the Middle East, aiming at particular individuals for surveillance purposes. The identity of the attackers remains unknown at this time.
What makes Landfall especially dangerous is its classification as a zero-click attack. This means the malware could infect a device without requiring the user to click a link, download a file, or take any other visible action. Unit 42 researchers detected the campaign indirectly. They were analyzing two separate vulnerabilities that had been fixed in Apple’s iOS and WhatsApp, which, when used together, allowed for remote code execution. This prompted them to search for other exploits with similar capabilities, leading to the discovery of several malicious image files uploaded to the VirusTotal scanning service. These files ultimately exposed the Landfall operation.
The malicious images were far from ordinary. While a standard image file cannot execute code, certain specially crafted files can be manipulated to conceal harmful software. In this instance, the attackers employed altered DNG files, a raw image format based on TIFF. Hidden inside these DNG files were embedded ZIP archives containing the malicious payloads used to compromise the devices.
(Source: Ars Technica)
