New Vulnerability Exposes Samsung Phones to Espionage
In April 2025, a significant cybersecurity vulnerability was discovered in Samsung’s image processing library, marking a major concern for users of the brand’s mobile devices. This flaw has been linked to a sophisticated zero-click exploit that allows malicious agents to penetrate devices without any user interaction. The attack occurs when the system processes a harmful image, which inadvertently triggers the deployment of the Landfall spyware. This spyware not only breaches device security but also alters the device’s SELinux policy, granting it extensive permissions to access sensitive user data.
Targeted primarily at specific Samsung models, including the Galaxy S22, Galaxy S23, Galaxy S24, Galaxy Z Flip 4, and Galaxy Z Fold 4, the spyware was reportedly disseminated through messaging applications like WhatsApp. According to a report from Unit 42, once the spyware is activated, it connects to a remote server to send basic device information. This provides operators with a means to extract a variety of sensitive data ranging from user and hardware IDs to installed applications, contact lists, and stored files. Furthermore, the spyware possesses the capability to activate the device’s camera and microphone, allowing for real-time surveillance of users.
The complexity of removing Landfall poses additional challenges, as its design allows it to integrate deeply within the system software by manipulating existing SELinux policies. The spyware also incorporates tools specifically intended to evade detection. Preliminary investigations suggest that Landfall’s activity may have been ongoing as early as 2024, with a notable presence in regions such as Iraq, Iran, Turkey, and Morocco. The vulnerability has likely existed within Samsung’s software from Android 13 through Android 15, according to the company’s assessments.
Unit 42 has drawn parallels between Landfall and industrial-grade spyware developed by notable cyber intelligence firms such as NSO Group and Variston, although firm attribution remains elusive. Despite the highly targeted nature of this attack, the exposure of these details could enable a wider range of threat actors to replicate similar methodologies against unpatched devices. Given the circumstances, users with supported Samsung phones are urged to ensure their devices are updated to the April 2025 patch or later.
In terms of the tactics employed during this attack, the MITRE ATT&CK framework provides insights into potential methods used by the adversaries. Initial access may have been achieved through the vulnerabilities in the image processing library, while persistence has been seen in the spyware’s integration with the SELinux policies. Privilege escalation techniques likely facilitated the spyware’s broad access to device functionalities and data, underscoring the multifaceted nature of this cyber threat.
Business owners reliant on mobile technology must remain vigilant regarding such vulnerabilities. The risks highlighted by this incident emphasize the importance of timely software updates and the proactive management of cybersecurity protocols, as the threat landscape continues to evolve rapidly. Proactive measures are essential for safeguarding sensitive information and ensuring that business operations are not compromised by emerging cybersecurity threats.
