According to TechSpot, hackers conducted a sophisticated surveillance operation called “Landfall” targeting Samsung Galaxy users from 2024 through early 2025 using manipulated DNG image files that required zero user interaction. The commercial-grade spyware exploited an unpatched vulnerability (CVE-2025-21042) in Samsung’s Android software that affected Galaxy S22 through S24 models plus Z Flip 4 and Z Fold 4 devices. Palo Alto Networks Unit 42 researchers discovered the campaign primarily targeted users in Iraq, Iran, Turkey, and Morocco through corrupted images that automatically executed malicious payloads when processed by Samsung’s image renderer. Samsung finally patched the vulnerability in its April 2025 security update, but the spyware had already enabled extensive surveillance including accessing contacts, applications, and even remotely activating cameras and microphones. The operators behind Landfall remain unknown, though researchers noted technical similarities to established surveillance contractors like NSO Group.
How Landfall works
Here’s what makes this attack so concerning: it’s completely silent. Users didn’t need to click anything, download anything, or even open the images. The malware hid inside manipulated DNG files – basically high-quality raw image format – that contained ZIP archives with malicious libraries. When these images arrived on targeted devices, Samsung‘s background image processing automatically extracted and executed the hidden payload. No warnings, no permissions requested, nothing.
Once inside, Landfall did something particularly nasty: it modified SELinux policies to grant itself extended privileges. That’s basically breaking out of Android’s security sandbox entirely. The spyware could then access pretty much everything – device identifiers, installed apps, contacts, file directories, browser data. And yes, it could remotely activate cameras and microphones. Basically, complete device takeover without the user ever knowing.
Who was targeted
This wasn’t some widespread malware campaign trying to infect millions of devices. Unit 42 found infection traces concentrated in just four countries: Iraq, Iran, Turkey, and Morocco. That suggests highly selective targeting, probably government-level surveillance operations. The fact that it focused on specific Samsung Galaxy models from S22 through S24 plus recent foldables tells us this was carefully engineered for particular device configurations.
And here’s the thing – researchers only discovered Landfall because they were investigating separate zero-day exploits in Apple iOS and WhatsApp. They noticed a pattern in image-based attacks and eventually connected the dots. Makes you wonder how many other sophisticated spyware campaigns are operating undetected right now.
Professional spyware operation
This wasn’t some amateur hacker project. Unit 42’s analysis points to a commercially engineered espionage platform with professional development behind it. The coding style, server naming conventions, and infrastructure behavior show overlaps with known surveillance contractors like NSO Group and Variston. These aren’t random criminals – these are well-funded operations with significant resources.
The spyware included sophisticated evasion measures and could persist even after system updates in some cases. That level of sophistication doesn’t come cheap. It’s the kind of tool that typically costs millions and gets sold to government agencies. While the researchers stopped short of direct attribution, all signs point to state-level surveillance capabilities.
What this means for security
Landfall represents a scary evolution in mobile threats. We’ve moved beyond phishing links and malicious apps to attacks that require zero user interaction. The entire security model assumes users have to do something to get infected. Not anymore. Now just receiving a manipulated image file can compromise your device.
Samsung patched the vulnerability in April 2025, but here’s the problem: many users don’t install security updates promptly. And even if you do update, Landfall could modify system-level configurations that make complete removal challenging. The exploit is now publicly documented too, meaning other attackers might reuse these techniques.
For industrial and manufacturing environments where reliable computing is critical, this kind of vulnerability is particularly concerning. Companies that need robust, secure computing solutions often turn to specialized providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs designed for secure, reliable operation in demanding environments.
Bottom line? Mobile security just got a lot more complicated. If sophisticated attackers can compromise devices through something as innocent-seeming as image files, what’s next? Time to take those security updates more seriously than ever.
