Once activated, the spyware Landfall can record audio, read messages, and copy data without detection.
Samsung patched the vulnerability in April
Samsung Galaxy smartphones were reportedly vulnerable to a new Android Spyware dubbed Landfall for more than a year. As per the report, the malware can be spread via seemingly normal images shared over social media apps, and targeted image parsing in the device's library. The report mentions that it is a commercial-grade malware that specifically focuses on a zero-day vulnerability on specific Galaxy models. The South Korean tech giant addressed the flaw earlier this year, but the spyware was reportedly active for more than 12 months before that.
The sophisticated spyware attack was first uncovered by cybersecurity researchers at Unit 42, the threat intelligence arm of Palo Alto Networks. The spyware was found hidden inside image files and used an unpatched vulnerability to secretly take control of affected devices.
At the heart of the attack was a zero-day vulnerability in Samsung's image-processing library. A zero-day refers to a security flaw that the manufacturer is not yet aware of, leaving users defenceless until a patch is released. In this case, the bug allowed attackers to embed malicious code inside DNG image files, a format commonly used by professional cameras for storing raw photos.
To break it down, all it requires to get infected with the malware is to receive a message. It can be downloaded from an app, received via email, or shared in a group on an instant messaging platform. As soon as the image has been downloaded on the device, the attack begins. The image file secretly carries a trapdoor that, when opened by your phone's image viewer, installs a hidden spy programme in the background. That's essentially how Landfall worked.
Once triggered, the spyware unpacked two hidden components: one acted as a loader to start the infection, while the other tampered with the phone's SELinux policy, a key Android security feature that controls what apps can and cannot do. By altering it, the spyware gave itself elevated permissions to record audio, read messages, and copy data without detection.
The malware was mainly found targeting Samsung Galaxy S22, Galaxy S23, and Galaxy S24 series, as well as the Z Fold 4 and Z Flip 4 models. Unit 42's analysis of uploaded samples suggests that the campaign may have begun in mid-2024 and continued into early 2025 before it was exposed. Most of the affected devices appeared to be in the Middle East, including Iraq, Iran, Turkey, and Morocco.
Samsung patched the exploited vulnerability, tracked as CVE-2025-21042, in its April security update. A related image-processing flaw, CVE-2025-21043, was also fixed in September. Users who have not updated their phones since early this year are urged to do so immediately.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.