A spyware attack affected some Galaxy phones for almost a year before a patch was issued.

The LANDFALL exploit was active before Samsung fixed the vulnerability in April. Information regarding the spyware and its use had not been made public until recently. Discovered by Palo Alto Network, LANDFALL was found in harmful DNG image files distributed through WhatsApp starting in mid-2024.

Meta, the owner of WhatsApp, has refuted claims regarding the app's role in delivering the Samsung exploit, according to Forbes. Meta stated that their investigation found no evidence to support the accusations.

Although LANDFALL has not been a threat since April, Samsung addressed another zero-day vulnerability in September. This flaw, identified as CVE-2025-21043, was present in the image processing library. The security update resolves the issue.

According to Itay Cohen, a senior researcher at Palo Alto Network's Unit 42, LANDFALL was used in targeted attacks and was not widely distributed, with espionage being the likely motive.

The LANDFALL spyware targeted Samsung Galaxy devices, particularly in the Middle East, including Turkey, Iran, Iraq, and Morocco. It had features such as microphone recording, location tracking, and access to photos and contacts. The attacks involved a corrupted image file designed to trigger a software flaw, requiring no user interaction.

Upon receiving the image, the targeted Galaxy phone was compromised, allowing attackers to:

Record audio and phone conversations.

Track GPS location in real time.

Access photos, messages, contacts, call logs, and browsing history.

Evade antivirus software and persist after device restarts.

Reports indicate that the Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models were the primary targets of LANDFALL. The Galaxy S25 series was not affected.

The vulnerability was exploited for ten months, from July 2024 until the patch in April, placing the Galaxy models at high risk. Samsung did not release any public statement when they released the patch in April.

Security experts advise Samsung Galaxy users with Android 13-15 to install the April 2025 Android security update or later to patch the vulnerability. Disabling automatic media downloads in apps like WhatsApp and Telegram is also recommended. Enabling Android’s Advanced Protection mode or iOS’s Lockdown Mode is also advised for high-risk users.