Samsung’s flagship phones were quietly at risk from spyware for a year

If there’s one thing everyone values on any smartphone, whether it’s an Android or an iPhone, it’s security. We keep a lot of personal data on our phones nowadays, and the last thing anyone wants is their personal information falling into the wrong hands. However, even though our phones are constantly updated with new firmware and security patches, it’s always possible for a security vulnerability to slip through the cracks, and that’s unfortunately what recently happened with Samsung.

While Samsung Galaxy phones are known for their strong security features, including Samsung Knox, a new report reveals that the phones were vulnerable to a major malware attack for nearly a year (via Ars Technica). The discovery was made by cybersecurity researchers at Palo Alto Networks’ Unit 42 division, who uncovered the spyware vulnerability, which they have named “Landfall.”

The Android spyware specifically targeted Samsung Galaxy phones, with the attackers exploiting a zero-day vulnerability in Samsung’s Android image processing library to deploy the spyware for surveilling and extracting data from users, including microphone recording, location tracking, messages, and call logs.

According to Unit 42, Landfall remained an active vulnerability on Samsung phones for months, remaining undetected until Samsung was alerted about it and patched it in April 2025. Unit 42 believes that the Landfall spyware attack was mainly used in 2024 and early 2025 for “targeted intrusion activities in the Middle East.”

What is a zero-day vulnerability?

It’s a security flaw that developers were unaware of until it was exploited

If you’re unfamiliar with what a zero-day vulnerability is, it’s a security flaw that is exploited before the developer even knows about it. This means they have had zero days to fix it, so time is of the essence.

What made this Landfall spyware attack particularly malicious is that it could be deployed without the user even being aware of it. How is this possible? In this case, Unit 42 discovered that Landfall infected users’ phones through a malicious DNG image file containing spyware, which could be sent via a messaging app like WhatsApp.

Landfall is referred to as a “zero-click” attack because the user doesn’t need to take any action. Simply processing the image for display would cause the phone to automatically and unknowingly load the spyware, which exploited the vulnerability in Samsung’s Android image processing library that I mentioned earlier. This essentially means that the spyware could be installed on a phone without the user ever being aware of it.

Unit 42 was able to uncover the existence of Landfall after it noticed that two similar security flaws were patched for iOS and WhatsApp. It was also able to identify the targeted device models for this attack, which included the Samsung Galaxy S23 and S24 series, the Galaxy S22, the Galaxy Z Fold 4, and the Z Flip 4.

It’s worth reiterating that Landfall is no longer an active threat, as Samsung patched the vulnerability in April 2025 with a security update. Therefore, if you have a Samsung phone and have kept it updated this year, you have nothing to worry about. To easily check for the latest updates on your Samsung phone, you can go to Settings > Software update > Download and Install.