Samsung Galaxy phones faced a stealthy year-long attack via ‘Landfall’ spyware exploiting photo files. Experts urge users to install the latest security updates now.
For almost a year, Samsung Galaxy phones were allegedly susceptible to a new Android spyware known as Landfall. According to the investigation, the malware can propagate through targeted image processing in the device’s collection and seemingly legitimate photos shared over social media apps. It is a commercial-grade virus that targets a zero-day vulnerability on particular Galaxy models, according to the research. The spyware was allegedly operational for more than a year prior to the South Korean IT giant fixing the vulnerability earlier this year.
Key Details of Samsung Galaxy Phones
| Key Detail | Information |
| Spyware Name | Landfall |
| Target Devices | Galaxy S22, S23, S24, Z Fold 4, Z Flip 4 |
| Attack Type | Zero-day image processing vulnerability |
| Discovery By | Unit 42, Palo Alto Networks |
| Vulnerability Code | CVE-2025-21042, CVE-2025-21043 |
| Infection Method | Malicious DNG image files |
| Duration Active | Mid-2024 to Early 2025 |
| Primary Affected Regions | Middle East (Iraq, Iran, Turkey, Morocco) |
| Fix Released | April 2025 & September 2025 security updates |
| User Action | Update Galaxy devices immediately |
Also Read:- Samsung Galaxy S26 Series Launching Feb 2026 with Faster Wireless Charging
A zero-day flaw in Samsung’s image processing library was the main source of the assault. A zero-day is a security issue that leaves consumers helpless until a fix is provided, since the manufacturer is unaware of it. In this instance, the flaw made it possible for hackers to insert malicious code into DNG picture files, which are frequently used by professional cameras to store unprocessed images.
Cybersecurity researchers at Unit 42, Palo Alto Networks’ threat intelligence division, were the first to discover the sophisticated spyware attack. The spyware was discovered concealed among image files, and it covertly took over impacted devices by exploiting an unpatched vulnerability.
After being activated, the spyware unpacked two secret components: one served as a loader to initiate the infection, while the other interfered with the phone’s SELinux policy, a crucial Android security feature that regulates the capabilities of apps. The spyware changed it so that it could read texts, record sounds, and copy data covertly.
To put it simply, receiving a message is all that is needed to become infected with the malware. It can be shared in a group on an instant messaging system, downloaded from an app, or sent via email. The attack starts as soon as the device downloads the image. The picture file covertly contains a trapdoor that installs a covert espionage application in the background when your phone’s image reader opens it. In essence, that was how Landfall operated.
The exploited vulnerability, known as CVE-2025-21042, was fixed by Samsung in its April security update. CVE-2025-21043, a related image-processing vulnerability, was also resolved in September. It is recommended that users update their phones right away if they haven’t done so since the beginning of the year.
Also Read:- Samsung Galaxy S26 and S26+ Renders Leak Ahead of Launch
The Z Fold 4 and Z Flip 4 models, as well as the Samsung Galaxy S22, S23, and S24 series, were the primary targets of the malware. The campaign may have started in mid-2024 and proceeded into early 2025 before it was discovered, according to Unit 42’s analysis of submitted samples. The Middle East, which includes Iraq, Iran, Turkey, and Morocco, seemed to have the majority of the impacted devices.
