The LANDFALL spyware campaign exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library, targeting Galaxy devices (S22, S23, S24, Z Fold4, Z Flip4). Distributed via malformed DNG image files on WhatsApp, the malware enabled extensive surveillance—including microphone recording, location tracking, call log theft, and extraction of photos, contacts, and SMS messages. The attack leveraged SELinux manipulation for persistence and evasion, with evidence linking it to commercial spyware operations (e.g., Stealth Falcon, Variston framework) and targeted intrusions in the Middle East (Iraq, Iran, Turkey, Morocco). The vulnerability remained unpatched until April 2025, exposing users for nearly a year. While Samsung later patched related flaws (e.g., CVE-2025-21043), the campaign’s modular design suggests potential for expanded payloads. The attack’s sophistication—combining zero-day exploitation, encrypted C2 communication, and anti-forensic techniques—highlights risks to high-profile individuals, government entities, and critical infrastructure in the region. Palo Alto’s Unit 42 confirmed no WhatsApp vulnerabilities were involved, but the use of a trusted messaging platform amplified the attack’s reach and credibility.

In late 2024, attackers began exploiting CVE-2024-7399, an easily reachable path traversal flaw in Samsung MagicINFO v9 Server, to deploy a malicious JSP payload. The vulnerability allowed unauthenticated actors to upload and execute arbitrary scripts on signage management servers, which are commonly deployed in retail stores, transportation hubs, corporate lobbies and healthcare facilities. Once executed, the payload installed a downloader for the Mirai botnet, turning commercial displays into nodes for distributed denial-of-service attacks. Although no sensitive customer or employee information was stolen, the intrusion compromised system integrity and posed a risk of large-scale service disruptions. Administrators reported sporadic outages of digital signage and unusual outbound connections from Windows Server instances. Samsung released a patch in August 2024, but exploitation surged after a proof-of-concept exploit was published. Organizations running MagicINFO v9 prior to version 21.1050.0 faced ongoing exposure until they applied the update. The incident underscores the critical need for timely patch management to avoid opportunistic bottleneck attacks on nontraditional devices.

Security researchers at Palo Alto Networks uncovered LANDFALL, a sophisticated Android spyware campaign exploiting a zero-day vulnerability (CVE-2025-21042, CVSS 8.8) in Samsung Galaxy devices (S22, S23, S24, Z Fold 4, Z Flip 4). The attack leveraged malformed DNG image files (disguised as WhatsApp transfers) to deploy modular spyware capable of recording audio/calls, tracking location, harvesting SMS/contacts/files, and maintaining persistence via SELinux manipulation. Targets included high-value individuals in Middle East/North Africa (Iraq, Iran, Turkey, Morocco), suggesting state-sponsored or commercial espionage motives. While the flaw was patched in April 2025, the campaign operated since July 2024, exposing users to prolonged surveillance risks. The attack’s zero-click potential (unconfirmed) and modular design (loader + privilege escalation + C2) align with advanced threat actors like Stealth Falcon, historically linked to regional espionage. The incident underscores rising risks in mobile ecosystems, where image-processing libraries (e.g., `libimagecodec.quram.so`) are increasingly exploited for targeted intrusions.

Last year, during the Pwn2Own hacking event in Austin, Texas, the Samsung Galaxy S21 devices were hacked, not once but twice, across a period of just 48 hours. This year also the Samsung’s flagship Galaxy S22 smartphone fell to zero-day exploits twice on the same day. But this time, Samsung fixed the issues before malicious threat actors can do any harm.

Samsung suffered from a data breach incident, hackers hacked Samsung systems in the U.S that exposed some personal data of U.S customers. The compromised information includes name, contact details, demographic data, date of birth, and product registration data. Samsung said that no credit or debit card information was accessed, nor social security numbers. Customers were warned to be on the lookout for unauthorized emails, messages, or phone calls that could exploit the stolen data to engage them and they got a free credit report.

Samsung was targeted by the Lapsus$ hacker group recently. The attackers gained access to its servers and stole 190GB of confidential data, including the source code of Galaxy devices. The company immediately took off its systems and strengthen its security systems.

Back in2015 more than 600 million Samsung mobile phones around the world were vulnerable to a software bug was discovered in the phone's keyboard. The bug could allow hackers to secretly monitor the phone's camera and microphone, install apps without permission and monitor text messages. The company identifies the bug and fixed it in the next update to lower down the risks.