Earlier than the April 2025 patch, Samsung telephones had a vulnerability of their picture processing library. It is a zero-click assault as a result of the person doesn't have to launch something. When the system processes the malicious picture for show, it extracts shared object library information from the ZIP to run the Landfall spy ware. The payload additionally modifies the system's SELinux coverage to provide Landfall expanded permissions and entry to information.
Credit score:
Unit 42
How Landfall exploits Samsung telephones.
Credit score:
Unit 42
The contaminated information seem to have been delivered to targets through messaging apps like WhatsApp. Unit 42 notes that Landfall's code references a number of particular Samsung telephones, together with the Galaxy S22, Galaxy S23, Galaxy S24, Galaxy Z Flip 4, and Galaxy Z Fold 4. As soon as lively, Landfall reaches out to a distant server with primary system info. The operators can then extract a wealth of information, like person and {hardware} IDs, put in apps, contacts, any information saved on the system, and searching historical past. It could actually additionally activate the digicam and microphone to spy on the person.
Eradicating the spy ware isn't any straightforward feat, both. Due to its skill to control SELinux insurance policies, it could burrow deeply into the system software program. It additionally consists of a number of instruments that assist evade detection. Primarily based on the VirusTotal submissions, Unit 42 believes Landfall was lively in 2024 and early 2025 in Iraq, Iran, Turkey, and Morocco. The vulnerability could have been current in Samsung's software program from Android 13 by way of Android 15, the corporate suggests.
Unit 42 says that a number of naming schemes and server responses share similarities with industrial spy ware developed by large cyber-intelligence corporations like NSO Group and Variston. Nevertheless, they can't instantly tie Landfall to any explicit group. Whereas this assault was extremely focused, the main points at the moment are within the open, and different risk actors may now make use of related strategies to entry unpatched gadgets. Anybody with a supported Samsung telephone ought to make sure they're on the April 2025 patch or later.
