"Before the April 2025 patch, Samsung phones had a vulnerability in their image processing library. This is a zero-click attack because the user doesn't need to launch anything. When the system processes the malicious image for display, it extracts shared object library files from the ZIP to run the Landfall spyware. The payload also modifies the device's SELinux policy to give Landfall expanded permissions and access to data."
"Unit 42 notes that Landfall's code references several specific Samsung phones, including the Galaxy S22, Galaxy S23, Galaxy S24, Galaxy Z Flip 4, and Galaxy Z Fold 4. Once active, Landfall reaches out to a remote server with basic device information. The operators can then extract a wealth of data, like user and hardware IDs, installed apps, contacts, any files stored on the device, and browsing history."
"Removing the spyware is no easy feat, either. Because of its ability to manipulate SELinux policies, it can burrow deeply into the system software. It also includes several tools that help evade detection. Based on the VirusTotal submissions, Unit 42 believes Landfall was active in 2024 and early 2025 in Iraq, Iran, Turkey, and Morocco. The vulnerability may have been present in Samsung's software from Android 13 through Android 15, the company suggests."
An image-processing vulnerability in Samsung phones allowed zero-click installation of Landfall spyware when the system processed a malicious image. The exploit extracted shared object library files from a ZIP to run the spyware and altered SELinux policy to grant expanded permissions and deep system access. Infected files were delivered via messaging apps such as WhatsApp. Targeted models include Galaxy S22, S23, S24, Z Flip 4, and Z Fold 4. Landfall collects device identifiers, installed apps, contacts, files, and browsing history and can activate camera and microphone. The spyware resists removal, uses evasion tools, and was active in 2024–early 2025 across multiple countries. Apply the April 2025 patch or later.
#samsung-vulnerability #landfall-spyware #zero-click-exploit #selinux-manipulation #mobile-surveillance
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]