Another smartphone malware incident has been uncovered, this time involving a sophisticated spyware dubbed âLandfallâ targeting Samsung Galaxy phones. Unit 42, the threat intelligence team from Palo Alto Networks, revealed that this campaign involved a zero-day exploit in Samsung's Android software to steal extensive personal data. The cyber assault was reportedly operational for almost a year before the underlying vulnerability was patched.
Landfall was first detected in July 2024, utilizing a software flaw now officially identified as CVE-2025-21042. Samsung addressed this vulnerability by issuing a patch in April 2025, but information about the attack has only recently come to light.
Users who ventured into risky internet territories in 2024 and early 2025 with a Samsung Galaxy device are unlikely to have been infected, as it appears that Landfall's attacks were specifically directed at certain groups. Itâs believed the spyware was deployed in the Middle East for surveillance purposes, though the responsible parties remain unidentified.
The insidious nature of Landfall lies in its zero-click attack method, allowing system compromise without any user interaction. Unit 42's discovery of Landfall was prompted by similar bugs addressed in Apple iOS and WhatsApp. When these exploits were combined, they enabled remote code execution, leading the team to investigate similar vulnerabilities. Their search uncovered malicious image files uploaded to VirusTotal, which exposed the Landfall operation.
Traditionally, image files arenât executable, but certain files can be corrupted to carry harmful code. In Landfall's case, modified DNG filesâanother form of raw file based on the TIFF formatâwere used. These files contained ZIP archives with malicious payloads, cleverly hidden within.