Danny Weber
07:18 11-11-2025
© A. Krivonosov
Unit 42 exposes LandFall spyware abusing a zero‑day in Samsung’s image library to hack Galaxy phones via WhatsApp photos. Affected S22–S24, patched April 2025.
Researchers at Palo Alto Networks Unit 42 have uncovered a large-scale campaign using LandFall malware that, over the past year, infected Samsung Galaxy smartphones across the Middle East. The malicious code spread through images sent via WhatsApp and exploited a zero‑day flaw in a Samsung‑built Android image processing library.
The exploit let attackers run arbitrary code on the device, effectively seizing full control. Once inside, LandFall unlocked access to personal data — from photos, chats, and contacts to the microphone and even real‑time location. No tap or download was required: receiving a booby‑trapped image was enough to trigger the compromise.
Specialists report the attacks began in July 2024 and hit Galaxy S22, S23, and S24 devices, as well as certain Galaxy Z Fold models. Infections were observed in Turkey, Morocco, Iran, and Iraq. Experts assess LandFall as commercial spyware used for targeted operations against specific individuals.
The vulnerability, tracked as CVE‑2025‑21042, was patched in the April 2025 security update. The latest models, including the Galaxy S25, are not affected. When an attack slips in via an ordinary photo, complacency becomes the biggest weakness — a reminder to install security updates promptly, even if the phone no longer receives full operating system upgrades.