18.11.2025 13:04:00
Дата публикации
Researchers at Palo Alto Networks uncovered a large-scale campaign in which the commercial spyware Landfall secretly operated on Samsung Galaxy smartphones for nearly twelve months.
The attack relied on a zero‑day vulnerability in Samsung’s Android firmware, enabling data extraction and remote control without user interaction. The spyware infiltrated devices via messengers like WhatsApp, disguised as specially crafted image files.
Landfall was first detected in summer 2024, but Samsung released an official patch only in April 2025. The attack featured a “zero‑click” technique: infection occurred automatically when the image was processed, without opening the file.
Hackers used modified DNG files containing hidden ZIP archives with malicious code. Once activated, Landfall altered SELinux policies, gained elevated privileges, collected contacts, files, browsing history, and could activate the camera and microphone.
Targets included Galaxy S22, S23, S24, Z Flip 4, and Z Fold 4. Infected devices were found in Iraq, Iran, Turkey, and Morocco, pointing to a regional focus.
The spyware’s code resembles NSO Group and Variston tools, though no direct link was proven. Experts warn: while the vulnerability is patched, Landfall’s methods may be reused by other actors.
Samsung and other smartphone owners are urged to keep devices updated with the latest firmware.
The attack relied on a zero‑day vulnerability in Samsung’s Android firmware, enabling data extraction and remote control without user interaction. The spyware infiltrated devices via messengers like WhatsApp, disguised as specially crafted image files.
Landfall was first detected in summer 2024, but Samsung released an official patch only in April 2025. The attack featured a “zero‑click” technique: infection occurred automatically when the image was processed, without opening the file.
Hackers used modified DNG files containing hidden ZIP archives with malicious code. Once activated, Landfall altered SELinux policies, gained elevated privileges, collected contacts, files, browsing history, and could activate the camera and microphone.
Targets included Galaxy S22, S23, S24, Z Flip 4, and Z Fold 4. Infected devices were found in Iraq, Iran, Turkey, and Morocco, pointing to a regional focus.
The spyware’s code resembles NSO Group and Variston tools, though no direct link was proven. Experts warn: while the vulnerability is patched, Landfall’s methods may be reused by other actors.
Samsung and other smartphone owners are urged to keep devices updated with the latest firmware.
