Security specialists at Palo Alto Networks’ Unit 42 have uncovered a complex spyware tool named Landfall that silently infiltrated certain Samsung Galaxy phones for close to a year. The operation relied on a serious flaw in Samsung’s Android image-processing system, which allowed the device to be compromised without the user tapping or opening anything on their screen.
Unit 42 traces the campaign back to July 2024. The underlying bug was later assigned CVE-2025-21042, and Samsung addressed it in a security update released in April 2025. The details of how attackers used the flaw became public only recently, after researchers completed their investigation.
The team emphasizes that even users who browsed risky websites or received suspicious files during that period likely avoided infection. Evidence suggests the operation was highly selective, targeting only specific individuals or groups rather than the general public. Based on submitted samples, the activity was concentrated in parts of the Middle East, including Iraq, Iran, Turkey, and Morocco. Who controlled Landfall remains unknown.
The researchers discovered the spyware while examining earlier zero-click bugs affecting Apple iOS and WhatsApp. Those unrelated flaws showed how attackers could trigger remote code execution by exploiting image-handling weaknesses. This motivated Unit 42 to search for similar risks affecting Android devices. During this process, they found several suspicious files uploaded to VirusTotal that ultimately revealed the Landfall attack chain.
At the center of this operation were manipulated DNG image files. DNG is a raw picture format built on the TIFF standard and is normally harmless. In this case, however, the attackers altered the files so they carried compressed ZIP archives containing malicious components. The image-processing library in Samsung devices had a defect that caused the system to extract and run the embedded code automatically while preparing the image preview. This made the threat a true zero-click exploit because no user action was required for infection.
Once the malware launched, it attempted to rewrite parts of the device’s SELinux security policy. This gave the operators broad system access and made the spyware harder to detect or remove. According to Unit 42, the files appeared to have been delivered through messaging platforms like WhatsApp, disguised as regular images. Code inside the samples referenced models such as the Galaxy S22, S23, S24, Z Flip 4, and Z Fold 4. Samsung believes the vulnerability existed across devices running Android 13, 14, and 15.
After installation, Landfall could gather extensive personal information. It could transmit hardware identifiers, lists of installed apps, contacts, browsing activity, and stored files. It also had the technical ability to activate the device’s microphone or camera for surveillance. The spyware included multiple features to avoid detection, meaning that fully removing it would require deep device repairs or resets.
Unit 42 noted similarities between Landfall’s design and advanced commercial spyware used by major surveillance vendors, but they did not identify any company or group responsible. Although Samsung has already released a fix, attackers could reuse this method on devices that have not installed the April 2025 update or later. Users are urged to check their security patch level to remain protected.
