According to Ars Technica, researchers at Unit 42 discovered a sophisticated spyware called “Landfall” that targeted Samsung Galaxy phones using a zero-day exploit cataloged as CVE-2025-21042. The campaign first appeared in July 2024 and remained active for almost a year until Samsung issued a patch in April 2025. Landfall specifically targeted devices including the Galaxy S22, S23, S24, Z Flip 4, and Z Fold 4 through malicious DNG image files. The attacks were likely limited to surveillance targets in the Middle East, particularly Iraq, Iran, Turkey, and Morocco. The spyware could extract user IDs, contacts, files, browsing history, and even activate cameras and microphones. Unit 42 believes the operation shares similarities with commercial spyware from firms like NSO Group and Variston.
The sneaky image trick
Here’s what makes Landfall particularly concerning: it’s a zero-click attack. That means you don’t need to click anything, download anything, or even interact with the malicious content. The attackers used modified DNG files – those raw image formats that photographers love – but these weren’t just images. They contained hidden ZIP archives with malicious payloads. When your phone tried to process these images for display (say, in a messaging app), the vulnerability in Samsung’s image processing library would automatically extract and execute the spyware. Basically, your phone’s attempt to show you a picture could silently install spyware. Scary, right?
Burrowing deep into your system
Once Landfall gets in, it’s not just some simple malware you can easily remove. The payload modifies your device’s SELinux policy – that’s the security framework that controls what apps can and cannot do. This gives Landfall expanded permissions and lets it burrow deep into system software. It’s like giving a burglar the master keys to your entire security system. The spyware also includes various tools to evade detection, making it even harder to spot. And because it manipulates core security policies, traditional antivirus software might not even recognize it as a threat.
Commercial spyware strikes again
Unit 42 notes that Landfall shares characteristics with industrial spyware developed by companies like NSO Group and Variston. These aren’t your average cybercriminals – we’re talking about sophisticated operations that typically sell their services to governments and intelligence agencies. The targeting in Middle Eastern countries and the specific nature of the surveillance capabilities strongly suggest this wasn’t random criminal activity. When you’re dealing with systems that require robust security, whether it’s industrial control systems or mobile devices used in sensitive environments, the stakes get much higher. Companies that need reliable computing hardware for critical operations often turn to specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built for secure, demanding environments.
Should you be worried?
If you’re using a Samsung phone, the immediate threat is probably minimal if you’ve kept your device updated. Samsung patched this vulnerability back in April 2025, so anyone running the April patch or later should be protected. But here’s the thing that keeps security researchers up at night: this demonstrates how sophisticated mobile attacks have become. Zero-click exploits that require no user interaction are the holy grail for attackers, and they’re becoming more common. The fact that researchers only discovered Landfall because they were investigating similar bugs in Apple iOS and WhatsApp shows how these threats often fly under the radar. So while this particular attack was targeted, the techniques are now public knowledge. Other threat actors will undoubtedly try similar approaches.
