Before the April 2025 patch, Samsung phones had a vulnerability in the image processing library. This is a zero-click attack because the user does not need to launch anything. When the system processes a malicious image for display, it extracts the shared object library files from the ZIP archive to run the Landfall spyware. The payload also modifies the device's SELinux policy to grant Landfall enhanced permissions and data access.
How Landfall exploits Samsung phones.
Credit: Unit 42
The infected files appear to have been delivered to victims via messaging apps such as WhatsApp. Unit 42 notes that the Landfall code references several specific Samsung phones, including the Galaxy S22, Galaxy S23, Galaxy S24, Galaxy Z Flip 4, and Galaxy Z Fold 4. Once activated, Landfall contacts a remote server with basic device information. Operators can then extract a wealth of data such as user and hardware IDs, installed apps, contacts, any files stored on the device, and browsing history. It can also activate the camera and microphone to spy on the user.
Removing spyware is also not an easy task. Thanks to its ability to manipulate SELinux policies, it can penetrate deep into system software. It also includes several tools that help you avoid detection. Based on VirusTotal, Unit 42 believes Landfall was active in 2024 and early 2025 in Iraq, Iran, Turkey and Morocco. The company suggests that the vulnerability may have been present in Samsung software from Android 13 to Android 15.
Unit 42 says some of the naming schemes and server responses bear similarities to industrial spyware developed by major cyber intelligence firms such as NSO Group and Variston. However, they cannot directly link Landfall to any specific group. Although this attack was highly targeted, the details are now known and other attackers can now use similar methods to access unpatched devices. Anyone who has a supported Samsung phone should make sure it has the April 2025 update or later.
