Security researchers at Palo Alto Networks’ Unit 42 have uncovered a spyware campaign called Landfall, targeting Samsung Galaxy devices across Android 13–15. The malware exploited a zero-day vulnerability in Samsung phones and could infect devices through a single malicious image, indicating a targeted espionage operation.
The flaw, tracked as CVE-2025-21042, existed in Samsung’s image-processing library. Attackers could deliver the malware without any user interaction, using messaging apps like WhatsApp to send a malicious .DNG image. The zero-click exploit meant infection occurred automatically upon receiving the image.
Although Samsung patched the vulnerability in April 2025, the spyware had been active since July 2024, silently running for nearly a year. Affected models included Samsung Galaxy S22, S23, S24, and foldable devices such as the Z Fold 4 and Z Flip 4.
Researchers described the Landfall campaign as a precision attack, not mass distribution. Most victims were located in the Middle East and North Africa, including Iran, Iraq, Turkey, and Morocco, suggesting possible geopolitical or state-aligned motives.
The malware was distributed through servers linked to domains previously associated with the Stealth Falcon surveillance group, though the attackers remain unidentified. Unit 42 noted the spyware’s design and infrastructure point to professional surveillance operators rather than typical cybercriminals.
Once installed, the spyware could record audio, activate cameras, collect messages, contacts, call logs, and track real-time location. Even with the patch, undisclosed exploits could still exist, researchers warned.
Samsung Galaxy users on Android 13–15 are advised to update devices fully, avoid files from unknown senders, and watch for unusual battery drain, overheating, or background data usage.
The discovery shows modern spyware no longer requires user interaction. Phone manufacturers are responding by enhancing security, including Apple expanding Lockdown Mode and Google testing live threat detection for Android devices.