Commercial spyware “Landfall” ran rampant on Samsung phones for almost a year

In a startling revelation, researchers from Unit 42, the threat intelligence division of Palo Alto Networks, have identified a sophisticated spyware named 'Landfall' that has been preying on Samsung Galaxy smartphones. This malicious campaign exploited a zero-day vulnerability in Samsung's Android software, allowing attackers to siphon off sensitive personal data for nearly twelve months. The spyware first emerged in July 2024, leveraging a flaw cataloged as CVE-2025-21042. Samsung responded by issuing a patch for its devices in April 2025, though details regarding the nature of the attacks have only just come to light. Fortunately, the underlying vulnerability has now been addressed, and it's believed that the attacks were largely aimed at specific groups rather than the general public. Unit 42 suspects that Landfall was primarily utilized for surveillance purposes in the Middle East, although the identity of the perpetrators remains unknown. One of the most concerning aspects of Landfall is that it operates as a zero-click attack, meaning it can infiltrate a device without any user interaction. The discovery of Landfall was prompted by the identification of two similar vulnerabilities patched in Apple iOS and WhatsApp. These exploits, when combined, enabled remote code execution, prompting researchers to investigate potential exploits that could achieve the same result. Their investigation led them to several malicious image files uploaded to VirusTotal, which ultimately unveiled the Landfall attack. Typically, image files are non-executable; however, the attackers managed to manipulate certain image types, specifically modified DNG files based on the TIFF format, to conceal malicious code. Embedded within these DNG files were ZIP archives containing harmful payloads, showcasing the attackers' advanced methods and intent.