What’s happened? Security researchers at Palo Alto Networks’ Unit 42 have uncovered an Android spyware campaign called Landfall. The malware exploited a zero-day vulnerability in Samsung Galaxy phones that could be triggered by a malicious image sent to a phone, and it appears to have been used in a targeted espionage campaign.
- The flaw, tracked as CVE-2025-21042, hid inside Samsung’s image-processing library, allowing attackers to infect devices with a single malicious image file.
- The exploit was zero-click, meaning victims didn’t need to open or tap anything. The infection could occur when a malicious .DNG image is received through messaging apps like WhatsApp.
- The issue was patched by Samsung in April 2025, but the spyware had already been active since July 2024, silently running for almost a year before discovery.
- The campaign mainly targeted Samsung Galaxy S22, S23, S24, and foldable models like the Z Fold 4 and Z Flip 4, across Android 13 through 15.

This is important because: Even if Samsung patched the flaw in April, targeted spyware campaigns can run for months. Researchers describe it as a precision attack on specific people, consistent with surveillance rather than mass crime.
- Victims were primarily located in the Middle East and North Africa, including Iran, Iraq, Turkey, and Morocco, suggesting geopolitical or state-aligned motives.
- The malware was distributed through a network of servers linked to domains previously associated with the Stealth Falcon surveillance group, although researchers haven’t confirmed exactly who is behind it.
- Unit 42 says the spyware’s design and infrastructure suggest that the masterminds behind Landfall are professional surveillance vendors rather than cybercriminals.

Why should I care? For everyday users, this shows that modern spyware doesn’t always require a careless click; even receiving the wrong file could trigger an exploit.
- Once installed, Landfall could record audio, activate the camera, collect messages, contacts, and call logs, and track real-time location.
OK, what’s next? Even though Samsung rolled out fixes for this flaw, researchers warn that other undisclosed exploits could still exist. If you own a Galaxy device listed above or run Android 13–15, here’s what you can do:
- Make sure your Samsung phone is fully updated.
- Avoid opening images or files from unknown senders, even in common messaging apps like Whatsapp.
- Watch for anomalies: unexpected battery drain, overheating, or unknown background data usage could indicate compromise.
Vulnerabilities like Landfall are quite difficult to spot before they strike. That’s why phone manufacturers are doubling down on mobile security with Apple expanding its Lockdown Mode, and Google testing live threat detection for Android users.