If You Own a Galaxy Phone, You May Have Been Spied on by Landfall

Millions of Samsung Galaxy phone users worldwide have been at risk from a sophisticated spyware campaign that went undetected for months. A newly identified threat, dubbed LANDFALL, exploited a critical security flaw in the world’s most popular Android phone brand, allowing attackers to gain complete control over devices without the user ever knowing.

The operation, which may have started as early as July 2024, highlights the shadowy world of commercial spyware and the constant race between hackers and security teams. As the largest smartphone brand in its native South Korea and a dominant player globally, Samsung’s user base presented a massive target for this invasive campaign.

In a striking announcement, researchers from Palo Alto Networks’ Unit 42 laid out the gravity of the situation. “Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library,” stated Jen Miller-Osborn, Deputy Director of Unit 42 Threat Intelligence.

A Zero-Click Hack Through Samsung’s Defenses

What makes LANDFALL particularly alarming is its method of attack: a “zero-click” hack. This means a phone could be compromised without the owner clicking a link, downloading a file, or taking any action at all. It’s a ghost in the machine.

Pieter Arntz, a Malware Intelligence Researcher at Malwarebytes, described the mechanism bluntly: “CVE-2025-21042 allows remote attackers to execute arbitrary code—potentially gaining complete control over the victim’s phone—without user interaction. No clicks required. No warning given.”

The attackers sent specially crafted DNG image files, a type of raw photo format, through messaging apps like WhatsApp. When the Samsung device received the image, a flaw in its internal image-processing library (specifically, the `libimagecodec.quram.so` component) was triggered. This vulnerability, an “out-of-bounds write,” allowed the malicious code hidden within the image file to be executed, effectively giving the attackers a backdoor into the phone.

Full Control and No Detection

Once inside, LANDFALL was anything but subtle in its capabilities. It was designed for total surveillance. Zeljka Zorz, Managing Editor at Help Net Security, noted, “Its capabilities include device fingerprinting … and data exfiltration: the spyware can switch on the microphone, record calls, harvest contacts, grab SMS/messaging data and photos, etc. … It’s also able to persist on the device and perform actions aimed at hiding its presence.” Find out more about how hackers are outsmarting security with advanced tools.

The spyware’s confirmed abilities included:

• Recording audio through the microphone
• Tracking the device’s location
• Stealing photos, contacts, and call logs
• Harvesting SMS and other messaging data
• Collecting detailed information about the device and installed apps

Evidence suggests the spyware was a piece of commercial-grade tooling, engineered for sophisticated stealth and persistence to avoid being discovered by both users and mobile security software.

A Middle East Focus and Possible State Interests

While millions of devices were vulnerable, the attacks appear to have been targeted. According to Ilia Kolochenko, Founder & CEO of ImmuniWeb, “Potential targets for the spyware were located in Iran, Turkey, and Morocco … Turkey’s national CERT reported IP addresses used by LANDFALL’s C2 servers as malicious, mobile- and APT-related.” This geographical focus, combined with the spyware’s sophistication, points toward a well-resourced actor, possibly a government or a private-sector offensive actor (PSOA) that sells such tools to state clients. This incident brings to mind the ongoing challenges of industrial espionage hitting Korea’s electronics giants.

Although direct attribution remains murky, researchers noted that LANDFALL’s infrastructure shares patterns with groups like Stealth Falcon, which has been linked to espionage in the Middle East. However, a conclusive link has not been established.

Samsung’s Response and Lingering Exposure

Samsung moved to address the threat once it was identified. “A fix for CVE-2025-21042 was released in April 2025, but in the preceding months it was used by attackers to deliver the LANDFALL spyware,” confirmed Zeljka Zorz of Help Net Security.

However, the patch only protects devices that have been updated. Models confirmed to be vulnerable include high-end devices like the Galaxy S22, S23, S24, Z Fold4, and Z Flip4 series. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its KEV (Known Exploited Vulnerabilities) catalog, ordering federal agencies to patch their devices by early December 2025—a move that underscores the severity of the threat.

Recommended Tech

With threats becoming more sophisticated, it’s crucial to ensure your devices are secure. For those looking to confirm their model or upgrade to a newer, protected device, The TechBull recommends checking out the official Samsung shop on Amazon for the latest releases with up-to-date security patches.

Lessons for the Mobile World

The incident has sent ripples through the cybersecurity community. “The discovery of LANDFALL highlights the need for stronger mobile defenses and proactive cybersecurity against advanced spyware,” commented John Dunn, a Senior Security Writer at eSecurity Planet. It’s a stark reminder that even the most trusted devices can have hidden flaws.

For users, the advice is clear: update your device immediately. Navigate to Settings > Software update > Download and install to ensure you have the April 2025 security patch or newer. Disabling auto-downloads for media in messaging apps can also reduce the risk of zero-click attacks. For those concerned about their digital footprint and potential data exposure from this or other threats, a comprehensive security service can be a wise investment. Services like Aura offer all-in-one protection against identity theft, financial fraud, and online threats that go beyond a simple device patch.

The Race Between Attackers and Defenders

This episode is a classic example of the cat-and-mouse game in cybersecurity. As Jen Miller-Osborn of Unit 42 pointed out, “Sophisticated exploits can remain in public repositories for an extended period before being fully understood.” The LANDFALL campaign was active for over nine months before it was publicly detailed and patched, leaving a long window of exposure.

The incident serves as a crucial lesson for the entire mobile industry. The reliance on complex third-party libraries, like the one used for image processing, creates attack surfaces that both developers and users often overlook. As attackers continue to innovate, security can no longer be an afterthought. For Samsung and the broader Android world, the fallout from LANDFALL will be a critical test of their ability to adapt and defend against the next invisible threat. For a deeper dive into mobile vulnerabilities, check out this analysis from Malwarebytes.