LANDFALL Spyware Targeted Samsung Galaxy Phones via Malicious Images

Security researchers from Palo Alto Networks’ Unit 42 have discovered a dangerous new commercial-grade spyware called LANDFALL that secretly targeted Samsung Galaxy smartphones for months.

This sophisticated campaign relied on a hidden flaw to turn everyday image files sent over apps like WhatsApp into a tool for comprehensive surveillance. As detailed in Unit 42’s technical blog post, the foundation of this attack was a previously unknown zero-day vulnerability in a special Samsung software library (libimagecodec.quram.so) that handles image processing.

This vulnerability, tracked as CVE-2025-21042, allowed attackers to sneak the LANDFALL spyware onto a device without the user doing anything, not even clicking on a link. This is called a zero-click exploit, which is among the most dangerous attacks as it requires no user action and offers no viable defence.

For your information, CVE-2025-21042 was an ‘out-of-bounds write’ in the Samsung library and rated CVSS 9.8 (Critical). The issue basically means the spyware tricked the phone into writing malicious data outside its designated memory box.

Attackers delivered the spyware hidden inside specially created, malformed DNG (Digital Negative) image files. These images, with filenames suggesting they were sent via WhatsApp (e.g., WhatsApp Image… or WA0000.jpg), were used to exploit the Samsung vulnerability. Unit 42 confirmed they found no unknown flaws in WhatsApp itself.

Unit 42’s investigation further revealed that the LANDFALL operation was active in mid-2024, months before Samsung released a fix for the problem in April 2025. Researchers noted that a similar vulnerability (CVE-2025-21043) was patched in September 2024, showing this method of attack is part of a broader trend.

****A Powerful Spy Tool****

Once installed on a Samsung Galaxy device (including models like the S22, S23, S24, Z Flip4, and Z Fold4), LANDFALL acts as a full-featured digital spy. Its capabilities include everything from data exfiltration (stealing recorded calls, photos, contacts, and browsing history) and device fingerprinting (capturing critical identifiers like IMEI) to advanced persistence and evasion features. It can burrow deep into the system by manipulating security layers (like SELinux) and hide from security apps for long-term surveillance.

Timeline for recent exploit activity and LANDFALL spyware flowchart (Source: Palo Alto Networks)

The research suggests this was a targeted effort, not a widespread infection, with evidence pointing to activities in the Middle East, including possible victims in Iraq, Iran, Turkey, and Morocco. While no group is officially blamed, Unit 42 observed that the digital patterns and infrastructure share similarities with those of a known surveillance group called Stealth Falcon.

Current Samsung Galaxy users who have kept their devices updated are protected, as the critical flaw was fixed back in April 2025. However, the discovery of LANDFALL itself shows how advanced threats can operate for a long time, completely hidden from the average person.