New research from Palo Alto Networks’ Unit 42 shows more than a year of top-of-the-line Samsung Galaxy phones were vulnerable to a stealthy hacking attack that could have allowed attackers to remotely spy on users.
The malware, which has been dubbed “LANDFALL” by researchers who tracked it, reportedly exploited a zero-day flaw in Samsung’s image parsing library, allowing attackers to steal personal data without tapping—or any user action, for that matter—before Samsung patched the issue in a security update.
The operation depended on malicious Digital Negative (DNG) image files sent through mainstream messaging applications. When the targeted device processed the maliciously crafted image, the spyware established itself and automatically started data theft but “routinely masked” its own actions. The campaign is described by Unit 42 as not being randomly launched but rather targeted, with activities focused in a few areas.
The models that are out for attention from researchers include the Galaxy S22 and S23 ranges, the Galaxy S24 collection of devices, and Samsung’s foldables like the Galaxy Z Fold 4 and Galaxy Z Flip 4. The vulnerable scope covered One UI iterations that are built on recent Android versions, once again illustrating how even flagship devices that are fully updated can be exploited when a zero-day is involved.
How the LANDFALL Attack Worked on Galaxy Phones
DNG is a raw photo format that devices regularly parse to generate previews and extract metadata. LANDFALL weaponized that routine step. As reported by Unit 42, the vulnerability in question was exploited using a malformed DNG image that triggered a flaw in Samsung’s code to process images; just touching this one file resulted in system-level code execution—no click, no install prompt, nothing.
When active, the spyware could silently exfiltrate photos, contacts, call logs, and device identifiers; record microphone sound bites; and track location. Researchers also spotted methods for circumventing modern protections: hiding within trusted system processes, minimizing file-system footprints, and throttling activity to avoid triggering usage or battery anomalies. This stealth probably helped prolong the campaign.
Which Galaxy Models Were Impacted by LANDFALL
Unit 42’s analysis cites the Galaxy S22, a high-end line likely in the works alongside the Galaxy S23 and Galaxy S24 series, as well as the Galaxy Z Fold 4 and Galaxy Z Flip 4. The affected software spanned multiple One UI generations based on recent Android releases. Signal was allegedly spread through regular functionality, though the tainted photographs were also sent over common messengers including WhatsApp.
In this case, the campaign seems to be targeting certain geographies and victims—much like the intrusion activity observed in similar mobile espionage cases. Though there is no evidence of widespread, sustained exploitation in the wild after Samsung’s fix, devices that have not recently received a Google security update may still be vulnerable.
Why This Zero-Day Matters for Samsung Galaxy Phones
Image parsing has emerged as a fertile attack surface on all platforms, as it involves complex, untrusted content that one often does not have to take an explicit action to receive. High-profile iOS attacks in the last several years, for instance, have also exploited media-handling vulnerabilities to facilitate so-called zero-click compromises. LANDFALL follows that strain on Android by breaching the instant a device opens a booby-trapped file.
The stakes are raised by Samsung’s size. With 20% of worldwide smartphone market share according to some market trackers (including Counterpoint Research), and its status as the world’s largest Android manufacturer, a persistent zero-day hitting Galaxy flagships has outsized impact, even when a campaign is tightly focused. And it demonstrates how state-of-the-art mobile defenses, from sandboxing and permission gating to on-device ML, can be circumvented once attackers achieve code execution within trusted components.
What Samsung Users Can Do Now to Stay Protected
Update immediately. Get the latest One UI and Android security patch via Settings, then get the latest Google Play system update too. Consider enabling automatic updates to shrink the exposure windows for future fixes.
For extra risk mitigation, you could restrict automatic media downloads in your messaging apps, keep Google Play Protect switched on, refrain from sideloading APKs, and make sure that even files from contacts you know get a second look. Zero-click attacks eliminate the tap, but layered hygiene still blunts delivery and persistence in many real-world scenarios.
Who Discovered It and How It Was Resolved
Palo Alto Networks’ Unit 42 claims to have found the malware family and backtracked its origin to Samsung’s image library, following standard responsible disclosure procedures. Samsung fixed the problem with a security maintenance release, and it usually acknowledges external security reports in its bulletins. Those who regularly install vendor patches are safe, though those on older builds must consider the importance of an update.
LANDFALL is a reminder that the most dangerous mobile threats come in the form of everyday content, hiding right in front of you. The fix is simple—update—but the lesson is lasting: high-end phones with good security designs require timely patches to stay ahead of fast-moving adversaries.
