Samsung Galaxy Phones Targeted by sophisticated ‘LANDFALL’ Spyware in Zero-Day Attack
Table of Contents
A newly uncovered Android spyware family, dubbed “LANDFALL,” exploited a previously unknown vulnerability in samsung Galaxy devices, enabling attackers to steal sensitive user data through malicious image files.
Samsung Galaxy phones are consistently ranked among the most secure Android devices,offering extended software support and regular security updates. However, a recent report reveals that even these robust systems were vulnerable to a sophisticated zero-day attack. cybersecurity experts have identified “LANDFALL” as a especially insidious spyware capable of operating undetected for extended periods.
Palo Alto Networks Uncovers ‘LANDFALL’
the Unit 42 division of global cybersecurity firm Palo Alto Networks discovered the previously unknown Android spyware family, naming it “LANDFALL” (h/t ArsTechnica). This revelation is part of a growing trend of similar vulnerabilities being identified and patched across multiple mobile platforms, including iOS. According to researchers, the spyware targeted Samsung Galaxy phones by exploiting a zero-day vulnerability within the company’s Android image processing library.
“What makes LANDFALL particularly devious is that it is a zero-day vulnerability – it could compromise the phone without the user’s direct involvement,” one analyst noted. Attackers reportedly deployed the spyware using specially crafted DNG (Digital Negative) files distributed through common messaging applications like WhatsApp.
How LANDFALL Operated
When a targeted device processed these malicious image files, the embedded spyware was silently loaded onto the system. Once active, LANDFALL granted remote operators access to a wealth of personal data, including:
- Photos
- Contacts
- Call logs
- Microphone recordings
- Location tracking data
The spyware was also designed to evade detection and resist removal, allowing it to remain active and gather intelligence for months. Unit 42 believes LANDFALL was actively deployed in 2024 and early 2025, primarily targeting individuals in the Middle East.
Affected Devices and Software Versions
The vulnerability potentially impacted Samsung devices running One UI 5 through One UI 7 (based on Android 13 through 15). Specifically,the following models were identified as targets:
- Galaxy S22
- Galaxy S23 series
- Galaxy S24 series
- Galaxy Z Fold 4
- Galaxy Z Flip 4
Patch and Current Risk
fortunately, Samsung addressed the vulnerability wiht a security patch released in April 2025. Consequently, current-generation Samsung users are no longer at risk. However, experts strongly recommend that all Samsung Galaxy phone owners ensure their devices are updated to the latest available Android version and security patch.
While reports indicate that LANDFALL has not been observed in Western regions, a proactive approach to security is always advisable. “It’s better to be safe than sorry,” a security official stated.
Time.new
