Another day, another malware attack on smartphones. Researchers at Unit 42, the threat intelligence arm of Palo Alto Networks, have revealed a sophisticated spyware known as “Landfall” targeting Samsung Galaxy phones. The researchers say this campaign leveraged a zero-day exploit in Samsung Android software to steal a raft of personal data, and it was active for almost a year. Thankfully, the underlying vulnerability has now been patched, and the attacks were most likely targeted at specific groups.
Unit 42 says that Landfall first appeared in July 2024, relying on a software flaw now catalogued as CVE-2025-21042. Samsung issued a patch for its phones in April 2025, but details of the attack have only been revealed now.
Even if you were out there poking around the darker corners of the Internet in 2024 and early 2025 with a Samsung Galaxy device, it’s unlikely you’d be infected. The team believes Landfall was used in the Middle East to target individuals for surveillance. It is currently unclear who was behind the attacks.
Landfall is particularly devious because it’s what’s known as a zero-click attack, which can compromise a system without the user’s direct involvement. Unit 42 only spotted Landfall because of two similar bugs that were patched in Apple iOS and WhatsApp. When combined, these two exploits would enable remote code execution, so the team went looking for exploits that might do that. They found several malicious image files uploaded to VirusTotal that revealed the Landfall attack.
Images that aren’t just images
A traditional image file is non-executable, but certain image files can be malformed in a way that carries malicious code. In the case of Landfall, the attackers used modified DNG files, a type of raw file based on the TIFF format. Within these DNG files, the unknown threat actors had embedded ZIP archives with malicious payloads.