Asger Risom
A major cybersecurity alert has been issued for Samsung Galaxy users after experts uncovered a sophisticated spyware campaign that had been secretly operating for nearly a year.
A major cybersecurity alert has been issued for Samsung Galaxy users after experts uncovered a sophisticated spyware campaign that had been secretly operating for nearly a year. The malware, known as Landfall, exploited a previously unknown flaw in Samsung devices to steal personal data from selected users.
A silent threat
According to research by Unit 42 of Palo Alto Networks, Landfall is an Android-based spyware designed specifically to infiltrate Samsung Galaxy smartphones. It spread through malicious image files in DNG format, often shared via instant messaging apps such as WhatsApp.
Once opened, the image activated code that granted attackers remote access to the device. From there, they could retrieve sensitive information, including photos, contacts, call logs, messages, and location data — even intercepting audio through the phone’s microphone.
The first traces of Landfall were detected in July 2024, though experts believe many infections occurred silently without any user interaction.
Exploiting a hidden flaw
Investigators found that Landfall took advantage of a zero-day vulnerability — an unpatched security flaw — in Samsung’s image processing library, libimagecodec.quram.so. The bug, officially catalogued as CVE-2025-21042, enabled attackers to execute arbitrary code remotely.
Samsung became aware of the flaw in September 2024 and released a fix seven months later, in April 2025. However, by then, the spyware campaign had already been active for almost a full year, quietly gathering data from targeted phones.
Precision espionage
The campaign primarily affected users of Galaxy S22, S23, and S24 models, as well as some foldable Z-series devices. The spyware was compatible with Android versions 13 through 15, according to the researchers.
Unit 42 senior investigator Itay Cohen described Landfall as a “precision attack” focused on espionage, not a mass-distributed campaign. He explained that its operation was “intended to target specific individuals,” rather than general users.
Traces and implications
The investigation also revealed that the spyware shared technical similarities with surveillance tools linked to private sector offensive actors (PSAs) operating in the Middle East, suggesting potential commercial or geopolitical motives. The developers behind Landfall remain unknown, as does the total number of victims affected.
Cybersecurity experts recommend that Samsung users ensure their devices are updated to the latest firmware version to mitigate any lingering vulnerabilities.
Sources: Unit 42 (Palo Alto Networks), elEconomista.es, Reuters
This article is made and published by Asger Risom, who may have used AI in the preparation
