The takeaway: What began as a series of disguised image files eventually unraveled into a long-running surveillance operation, revealing how hackers can use a single flaw in image-parsing libraries to bypass traditional security boundaries without a single user click. The case underscores how quickly mobile threats are evolving.
For months, hackers conducted a quiet but highly advanced espionage campaign targeting select Samsung Galaxy users. The invasion used an exploit so sophisticated that it infected devices without users taking any action. Security researchers at Palo Alto Networks Unit 42 have disclosed full details of "Landfall," a commercial-grade spyware that exploited an unpatched flaw in Samsung's Android software throughout most of 2024 and early 2025.
Samsung patched the vulnerability (CVE-2025-21042) in its April 2025 security update, but it remained active long enough to enable targeted surveillance across multiple countries. Unit 42's investigation tracked limited, region-specific operations focused on the Middle East, though the actors behind the attacks remain unknown.
Landfall's discovery marks one of the most intricate Android zero-click exploits in recent years. The malware chain began with manipulated digital image files – specifically modified DNG files based on the TIFF format. Unlike ordinary DNGs, the attackers' files embedded ZIP archives containing malicious shared object libraries that exploited zero-day flaws in Samsung's image processing component, which handled files automatically.
When an infected image arrived, the background image renderer extracted and executed the hidden payload without user interaction. Once inside the device, the malware modified SELinux policies, granting itself extended privileges to access private data and bypass sandboxing. Landfall's operators could pull extensive information from the phones, including device identifiers, installed applications, contacts, file directories, and browser data. The spyware could even activate microphones and cameras remotely.
According to forensic data and VirusTotal submissions reviewed by Unit 42, the campaign affected Galaxy models from the S22 through S24, as well as foldables like the Z Flip 4 and Z Fold 4. Researchers found traces of infection concentrated in Iraq, Iran, Turkey, and Morocco, suggesting carefully selected targets rather than mass distribution.
Unit 42 says the campaign likely began after researchers investigating separate zero-days in Apple iOS and WhatsApp noticed a pattern in image-based attacks. While analyzing similar artifacts on VirusTotal, they uncovered a cluster of corrupted images that ultimately led to Landfall's identification.
Although Landfall's operators remain unknown, Unit 42's analysis notes overlaps in coding style, server naming, and infrastructure behavior consistent with spyware developed by established surveillance contractors such as NSO Group and Variston. The researchers stopped short of attribution but noted that the technical evidence points to a commercially engineered espionage platform rather than a one-off criminal toolset. The spyware includes evasion measures, suggesting a professional development team with access to significant resources.
Samsung has confirmed that the April 2025 update mitigates the vulnerability in Android versions 13 through 15. However, since Landfall can modify system-level configurations, removing it is challenging even after applying the software patch. Users who have not installed the patch remain at risk of similar attacks if future actors reuse the now publicly documented exploit.