Unit 42 researchers determined that advanced spyware called Landfall was actively used in Türkiye and that sensitive data was stolen from Samsung Galaxy devices.
Samsung’s galaxy affecting models Landfall The spyware named targeted specially selected people in the Middle East and North Africa. Unit 42’s findings show that the malware was actively used from mid-2024 to early 2025.
Researchers found that Landfall was specifically directed at specific user groups in countries such as Iraq, Iran, Türkiye and Morocco. This software is detected on Samsung devices. CVE-2025-21042 It works by using coded vulnerability. The vulnerability in question was closed with an update released in April. However, when you delay updates, your devices are still vulnerable to this danger. This type of attack is called “zero-click” because data can be stolen without users having to take any action.
Landfall’s technical operation is based on a very complex chain. Spyware, specially prepared DNG image files It infiltrates the system. These files exploit a flaw in the image processing library on Galaxy devices. Once the malicious file runs, attackers can remotely access the device’s storage, camera and microphone. Thus, location information, message contents and call records are also exported. This situation shows how deep and systematic the operations aimed at targeted surveillance are carried out.
In the examples examined by Unit 42, it appears that the attack chain was designed professionally. Malicious DNG files are usually sent via messaging platforms and integrated into the system without asking for any confirmation from the user. Malicious code is being executed in the device memory without your awareness. This method gives attackers full authorized access in a short time. Therefore, actively using devices without installing official security patches poses a serious risk.
Regional users are the target of the Landfall attack
According to the research report, Landfall focuses on selected targets rather than spreading randomly. Some clues found in the code structure suggest that there may be an organized structure behind the attack. It is currently not clear who is carrying out this operation. Despite this, the loading timings of Landfall samples and the server connections used indicate the existence of a professional infrastructure. Unit 42 researchers state that this infrastructure has also been used in different intelligence operations in the past. In addition to all these, there is data that target profiles consist of people with political, diplomatic or media connections.
The most basic step to ensure device security is Applying updates without delay. Samsung closed this vulnerability with the security package it released in April. If you have not installed this update, your devices may still be at risk. Additionally, enterprise device administrators need to make these patches mandatory in their mobile device management systems. For security reasons, it is important not to download media files from unknown sources and to limit file preview options in messaging applications.
In addition, it will be useful to keep mobile security software up to date and use tools that can monitor malicious activities at the system level. Especially for corporate users, it is recommended that files coming to mobile devices be subjected to multi-layer analysis. You can also reduce the impact of potential leaks by enabling two-factor authentication methods.
The Landfall incident once again revealed the security risks of third-party libraries used in the mobile ecosystem. This incident concerns not only Samsung devices but also other Android-based systems running on similar architecture. Therefore, you should make sure that all software components are up to date and regularly follow the security announcements published by the manufacturers.
In this era where mobile threats are becoming increasingly sophisticated, spyware is no longer just a click away. without any user interaction It appears to be effective. Examples such as Landfall clearly demonstrate the importance of individual awareness and regular system maintenance in digital security. A delayed update may put you at risk of losing all your personal data. Therefore, keeping your devices updated at all times is the most basic line of defense against such attacks.