A new report suggests that Samsung Galaxy phones were targeted with a zero-day spyware that could steal personal data, and it has reportedly been used in the wild.
Global cybersecurity company Palo Alto Networks’ Unit 42 discovered a previously unknown spyware family that they have named “LANDFALL.” According to Android Authority, this spyware is part of a broader pattern that has been discovered and patched across multiple platforms, including iOS.
On Android, hackers exploited a zero-day vulnerability in Samsung’s Android image processing library to deliver spyware. This spyware was then used as a surveillance tool. As mentioned earlier, this vulnerability was reportedly exploited before Samsung patched it this April, months after reports of the attacks.
With LANDFALL, attackers used a DNG file containing spyware and distributed it via messaging apps such as Meta’s WhatsApp. When the device processed the image, it would inadvertently load the spyware along with it. The spyware then allowed remote operators to extract data (photos, call logs, microphone recordings, and location tracking data). There were also tools to help the spyware remain undetected, which made it difficult to remove.
Palo Alto Networks’ Unit 42 believes that LANDFALL was active in the Middle East between 2024 and early 2025, and was also used in targeted intrusion activities.
Android Authority noted that Samsung’s One UI 5 through One UI 7 (based on Android 13 through Android 15) are potentially vulnerable, alongside several targeted devices; Samsung Galaxy S22, Galaxy S23, Galaxy S24, Galaxy Z Fold 4, and Galaxy Z Flip 4.
Source: Android Authority
