A sophisticated espionage campaign targeting Samsung Galaxy devices has exposed a new form of zero-click attack that leveraged seemingly harmless image files to infiltrate smartphones. Security researchers from Palo Alto Networks’ Unit 42 uncovered the operation, codenamed “Landfall,” which used a flaw in Samsung’s Android software to conduct surveillance across multiple countries throughout 2024 and early 2025.
The attackers exploited a previously unknown vulnerability, tracked as CVE-2025-21042, that allowed malicious code to execute automatically when an image file was processed by the device. The campaign infected phones without requiring any user interaction, marking one of the most intricate Android zero-click exploits identified in recent years.
Landfall’s attack chain began with manipulated DNG image files—a format derived from TIFF—that concealed ZIP archives containing malicious shared object libraries. When a targeted device received one of these images, Samsung’s background image renderer automatically parsed it, triggering the embedded payload. The malware then exploited the image-processing flaw to bypass Android’s sandbox protections, modify SELinux policies, and grant itself elevated privileges.
Once installed, Landfall enabled extensive surveillance capabilities. The spyware could extract identifiers, installed apps, contacts, browser data, and file directories, and even remotely activate the microphone and camera.
According to forensic evidence reviewed by Unit 42, infections primarily affected Galaxy S22 through S24 models, as well as foldable devices like the Z Flip 4 and Z Fold 4. The campaign appeared to target select users in the Middle East, with confirmed activity in Iraq, Iran, Turkey, and Morocco.
The operation was discovered after researchers studying separate zero-day exploits in Apple iOS and WhatsApp noticed similar patterns involving image-based payloads. Further investigation through VirusTotal submissions revealed corrupted image clusters that ultimately led to Landfall’s identification.
Although Unit 42 has not attributed the operation to a specific group, researchers found coding similarities, server naming conventions, and infrastructure overlaps consistent with spyware used by known commercial surveillance firms such as NSO Group and Variston. The report concluded that the campaign likely originated from a professional development team with significant technical and financial resources.
Samsung confirmed that its April 2025 security update patched the vulnerability across Android versions 13 through 15. However, the company warned that devices remaining unpatched could still be vulnerable to reuses of the exploit, as Landfall’s ability to alter system configurations makes complete removal difficult.
The discovery underscores the growing sophistication of mobile spyware and the evolving risks posed by zero-click exploits—attacks that require no action from victims to compromise their devices.
Featured image credits: Freepik
For more stories like it, click the +Follow button at the top of this page to follow us.