Samsung Galaxy phones were quietly breached by a powerful spyware campaign. and most users had no idea. The threat may still be active, and the details are more alarming than expected. Learn how to protect yourself and device from these attacks.
Cyber threats come in many forms, but mobile users remain the primary target. Despite regular updates, attackers continue to find ways to breach devices. The latest case proves this, revealing that Samsung Galaxy phones were vulnerable to a serious flaw that had been exploited in the wild for many months. Although the vulnerability was eventually patched, the threat may still linger, putting many users at risk.
Last week, Palo Alto Networks’ Unit 42 security team published a report (via Bleeping Computer) detailing a bug in Samsung devices, specifically in the Android image processing library. Attackers used this flaw in zero-day attacks to plant a commercial-grade spyware known as LandFall.
Following the report, the Cybersecurity and Infrastructure Security Agency (CISA) recognized the severity of the flaw, assigning it a critical rating of 9.8 out of 10 on November 10. It is now tracked as CVE-2025-21042 and has been added to CISA’s Known Exploited Vulnerabilities catalog.
Why This Samsung Bug Is So Dangerous
What makes this vulnerability especially concerning is its ability to let threat actors execute code remotely without user interaction or privilege escalation. This is the hallmark of a zero-day exploit, often successfully used by threat actors to compromise devices.
Attackers used the flaw to deliver LandFall spyware, which was spread through WhatsApp chats and groups. The spyware was disguised as a DNG file that contained a hidden executable ZIP in it. Once activated, it could access the device’s location, microphone, messages, call logs, media files, and more without the victim knowing.
Screenshots of the Android ‘Advanced Protection’ settings with device protection options. It’s a safeguard that adds extra layers of security to the device. Image source: nextpit
According to the report, affected Samsung smartphones include the Galaxy S22, Galaxy S23, Galaxy S24, Galaxy Z Fold 4, and Galaxy Z Flip 4. The latest Galaxy S25 and newer foldables do not appear to be affected.
The group believed to be behind the attack is Stealth Falcon, reportedly operating out of the UAE. They are said to target specific individuals, including high-profile figures in Middle Eastern countries, though it’s unclear how many were breached. At the same time, this does not rule out the possibility that regular users could also be affected, especially if fraudsters exploit the same vulnerability.
Samsung Has Fixed the Flaw, but the Spyware Remains a Mystery
The vulnerability was reportedly exploited from July 2024 until April 2025, when Samsung patched it. What’s troubling is that both the exploit and the LandFall spyware remain largely unanalyzed. With so little known about how the spyware operates, it becomes harder to contain the threat and protect users.
In the meantime, users are urged to take precautionary measures. These include keeping Galaxy devices and apps updated, avoiding suspicious links and attachments, and ensuring they only interact with verified accounts and websites. Likewise, it is also advisable to turn on in-device security tools like Advanced Device Protection if you think you’re under attack.
We’d love to hear your tips for staying safe online. Share them in the comments section.
We mark partner links with this symbol. If you click on one of these links or buttons–or make a purchase through them–we may receive a small commission from the retailer. This doesn’t affect the price you pay, but it helps us keep nextpit free for everyone. Thanks for your support!
