“Booby-trapped images” used to spy on phones in the Middle East

For several months, hackers conducted a highly sophisticated surveillance operation targeting specific Samsung Galaxy devices, according to a new report. The campaign relied on a zero-click exploit, a hazardous type of exploit that compromises phones without requiring users to open or tap anything.

Researchers from Palo Alto Networks’ Unit 42 have now published a full report on “Landfall,” a commercial-grade spyware strain that leveraged an unpatched vulnerability in Samsung’s Android software throughout most of 2024 and into early 2025.

Samsung addressed the flaw in an April 2025 update.

According to Unit 42’s findings, the activity seemed to be focused in the Middle East, though the identities of those behind the campaign remain unknown.

Landfall is one of the most complex zero-click exploits ever found on Android. The attack started with manipulated digital image files, specifically altered DNG files based on the TIFF format. Hidden within these images were ZIP archives containing malicious shared object libraries that exploited previously unknown vulnerabilities in Samsung’s automatic image-processing system.

When a tampered image reached a device, the background renderer automatically unpacked and ran the payload, requiring no user input.

The spyware could harvest a wide range of information, including device identifiers, contact lists, application data, file directories, and browsing history. It could also remotely activate cameras and microphones, turning affected phones into complete surveillance tools.

Forensic data showed that the attack targeted Galaxy S22, S23, and S24 models, along with foldable devices like the Z Flip 4 and Z Fold 4. Evidence of infections was most common in Iraq, Iran, Turkey, and Morocco, indicating a selective, targeted operation rather than a widespread campaign.

Although the individuals or entities behind the campaign remain unidentified, Unit 42 observed similarities in code structure, domain naming conventions, and infrastructure behavior that resemble tools created by known surveillance technology providers like NSO Group and Variston. While researchers stopped short of confirming attribution, they concluded that Landfall was probably developed by a professional organization with significant technical resources rather than amateur cybercriminals. The spyware’s use of obfuscation and anti-forensic measures supports this conclusion.

Samsung confirmed that its April 2025 security update patches the vulnerability on Android versions 13 through 15. However, removing Landfall can be difficult because of its ability to modify system-level settings. Devices that haven’t yet received or installed the update remain vulnerable.