In recent months, Android security has returned to the spotlight, and this time it is the one that is making headlines LANDFALLa new family of spyware discovered by researchers at Unit 42 of Palo Alto Networks. This is commercial-grade spy software, designed to infiltrate devices Samsung Galaxy taking advantage of one zero-day vulnerability remained active for several months before being corrected.
The attack, which according to experts particularly affected users in Middle Eaststands out for its diffusion method: a simple one DNG image file sent via WhatsApp. You don’t need to click anything, you don’t need to open the attachment: just receive it. Once he reaches the phone, LANDFALL gets full access to the systemallowing attackers to record audio, track location, and even extract contacts, photos, and call logs.
How LANDFALL works and which devices it affects
According to Unit 42’s report, LANDFALL represents an evolution of surveillance software developed by private companies for commercial purposes, similar to those already seen in other spyware such as Pegasus. The malware exploited the vulnerability CVE-2025-21042discovered in the image processing library of Samsung devices, and actively used by attackers since mid-2024, well before Samsung patched it in April 2025.
The malicious code was hidden in Specially modified DNG image fileswhich exploited a bug in the way the system library handled this photo format. Once sent via WhatsAppthe spyware was activated automatically, without the need for user interaction, in what the researchers call a zero-click attack.
The main target would have been devices Samsung Galaxy S22, S23, S24 and Fold/Flipparticularly in countries like Iraq, Iran, Türkiye and Morocco. The evidence collected suggests its use by a private sector actor or a group that specializes in selling surveillance tools to governments and organizations.
LANDFALL, once installed, is able to record ambient audio, access GPS location, read messages and chats, extract photos, contacts and call history, maintaining an almost total level of control over the infected device.
A case that confirms the fragility of the mobile ecosystem
The discovery of LANDFALL puts the spotlight back on an increasingly pressing problem: security of system libraries integrated into modern smartphones. In recent months, Apple has also had to face similar vulnerabilities related to image processing, demonstrating how these components, often invisible to users, are an increasingly attractive target for attackers.
Samsung released a patch for the flaw in April 2025, but Palo Alto experts point out that the attack had been active for many months before that. It’s a clear sign of how zero-day vulnerabilities can remain silent and operational for a long time, often targeting specific geographical areas or categories of users without arousing suspicion.
For users, the lesson is simple but very fundamental: even a seemingly innocuous message can hide a risk, especially if it comes from unknown senders or unverified channels. Always updating your device and installing security patches remains, once again, the first and most effective form of defense.
