Millions of Samsung Galaxy phones vulnerable to new zero-day spyware attack

Security researchers from Unit 42 of Palo Alto Networks have discovered a critical zero-day vulnerability (CVE-2025-21042) affecting millions of Android-powered Samsung Galaxy smartphones, potentially allowing hackers to install spyware and steal sensitive user data.

Zero-day vulnerability exploited through image files

According to the report, cyber threat actors exploited an unknown flaw in Samsung’s Android image processing library to distribute a sophisticated spyware named LANDFALL. The attackers used malicious image files in DNG format, which were shared through WhatsApp Messenger.

The spyware automatically installs itself when a user has the auto-download feature enabled for multimedia files — meaning no user action is required for infection. This makes LANDFALL a zero-click spyware, similar in nature to the infamous Pegasus spyware used for surveillance of high-profile individuals worldwide.

Devices and users at risk

The researchers revealed that Samsung Galaxy S22, S23, S24, and Galaxy Z series smartphones running Android 13, 14, and 15 are among the most vulnerable devices. The total number of affected users remains unclear.

Although Samsung had patched a vulnerability linked to this spyware in April 2025, the attackers reportedly found a new loophole in the company’s image processing framework to continue their infiltration attempts.

What LANDFALL spyware can do

Once installed, the LANDFALL spyware can secretly access nearly all data stored on the infected device. This includes:

• Documents, photos, and videos
• Messages and contact details
• Call logs and location data
• Microphone and camera recordings

The spyware effectively grants hackers full surveillance access to the compromised device, making it one of the most dangerous Android-based threats of the year.

Possible origins and targets

Though the origin of the LANDFALL spyware remains unconfirmed, cybersecurity sources suggest it has been used to monitor specific targets in the Middle East, including Iraq, Iran, Turkey, and Morocco. Investigations are ongoing to identify the developers and networks behind the attack.

How to protect your Samsung phone

Cybersecurity experts recommend the following precautions to protect users from the LANDFALL spyware and similar attacks:

1. Turn off auto-download of media files in WhatsApp and other messaging apps.
2. Avoid clicking links or downloading files from unknown contacts.
3. Only install apps from verified sources like the Google Play Store.
4. Update your phone immediately whenever a new software patch becomes available.
5. Install reliable antivirus software to detect and block suspicious activity.

Samsung’s response expected

Samsung has not yet issued an official statement regarding this latest exploit. However, the company is expected to roll out a new security patch in the coming days to mitigate the risk. Users are advised to keep their devices updated and stay alert for any unusual activity.

With millions of Galaxy devices in active use globally, this incident underscores the growing sophistication of mobile spyware attacks and the urgent need for stronger security measures in the Android ecosystem