Before the April 2025 patch, Samsung phones had a vulnerability in their image processing library. This is a zero-click attack because the user doesn’t need to launch anything. When the system processes the malicious image for display, it extracts shared object library files from the ZIP to run the Landfall spyware. The payload also modifies the device’s SELinux policy to give Landfall expanded permissions and access to data.
How Landfall exploits Samsung phones.
Credit: Unit 42
How Landfall exploits Samsung phones. Credit: Unit 42
The infected files
→ Continue reading at Ars Technica