Recently, a dangerous piece of spyware called “Landfall” was discovered targeting Samsung Galaxy phones. This malware was active for almost a year and could silently steal personal data or even activate the camera and microphone without the user doing anything. Fortunately, Samsung fixed the underlying security flaw in April 2025, but the details of the attack only came out now.

What is Landfall and How Did It Work?

Landfall is a type of spyware that uses a zero-click attack. That means it can infect a device without the user opening a suspicious link or app. Instead, it relies on a flaw in Samsung’s software to do its dirty work when processing certain image files. The attackers sent malicious images, specifically modified DNG files—these are raw image files based on the TIFF format—through messaging apps like WhatsApp.

Inside these images, the attackers embedded ZIP archives containing malicious code. When the phone’s system processed these images, it automatically extracted and ran the malicious payload. This allowed Landfall to gain access to the device’s data and even alter system permissions to stay hidden.

The Exploit Details and Targeted Devices

The vulnerability, identified as CVE-2025-21042, affected Samsung phones running Android versions from Android 13 to Android 15. The attack was particularly sophisticated because it exploited a flaw in Samsung’s image processing library. When the system displayed the malicious image, it silently ran the embedded code, making it a zero-click attack.

Once infected, the spyware communicated with a remote server, sending back details like device IDs, installed apps, contacts, files, and browsing history. It could also turn on the camera and microphone to spy on users. The malware was designed to hide itself deeply within the system, making removal difficult. It could manipulate system policies and include tools to evade detection.

The targeted phones included popular models like the Galaxy S22, S23, S24, Galaxy Z Flip 4, and Galaxy Z Fold 4. Most of the activity appeared to be in the Middle East, with infections reported in countries such as Iraq, Iran, Turkey, and Morocco. Researchers believe the attack was highly targeted, but once the details became public, other hackers could replicate similar tactics on unpatched devices.

Who Was Behind the Attack?

While the exact group responsible for Landfall remains unknown, similarities in code and server responses suggest links to advanced cyber-espionage firms like NSO Group or Variston. These companies develop industrial-grade spyware for governments and private clients. However, there’s no definitive proof tying Landfall directly to any particular organization.

Samsung responded quickly once the vulnerability was identified. The company released a security patch in April 2025 that fixed the flaw. Users are strongly advised to update their devices to the latest software version to protect against similar threats. Since the attack was highly targeted and exploited a zero-day flaw, most regular users who kept their software current were likely safe.

This incident highlights how sophisticated modern spyware can be. It also shows the importance of keeping your device’s software up to date. As cyber threats evolve, staying patched is your best defense. While Landfall was a major concern, the good news is that the vulnerability has now been closed. But it’s a reminder that even trusted devices like Samsung smartphones aren’t invulnerable without proper updates.

Inspired by

• https://arstechnica.com/gadgets/2025/11/commercial-spyware-landfall-ran-rampant-on-samsung-phones-for-almost-a-year/

Sources

• conde.digital
• cnevids.com
• paloaltonetworks.com