Yasmin Barakat
Own a Samsung Galaxy? LANDFALL spyware may have targeted your phone
LANDFALL is a commercial grade spyware that abused a zero day in Samsung’s image processing stack, letting attackers hijack Galaxy phones with a single incoming message. The campaign ran quietly for months, delivered through malicious DNG images on apps like WhatsApp, and enabled full device takeover. Samsung patched the flaw in April 2025, so updating your phone now is the fastest way to shut the door.
In Summary
- LANDFALL used a zero click exploit of CVE-2025-21042 in Samsung’s Android image library.
- Attackers slipped in via specially crafted DNG images sent through messaging apps such as WhatsApp.
- The spyware enabled complete surveillance, from microphone recordings to location tracking and data theft.
- Samsung issued a fix in April 2025. Devices that have not installed recent security updates may still be exposed.
Millions of Galaxy owners were potentially in scope. Researchers at Palo Alto Networks’ Unit 42 identified the toolkit and linked the initial entry to a memory flaw in the vendor’s image codec. In plain language, the phone only needed to receive a booby trapped photo for the attack to work. No taps. No downloads. No prompts.
What is LANDFALL and how did it break in?
LANDFALL is a newly uncovered Android spyware family that piggybacks on a vulnerability tracked as CVE-2025-21042. The bug lives in Samsung’s image processing library and allows an out of bounds write, which attackers can turn into remote code execution. They packaged the exploit inside DNG image files and delivered them through messaging platforms. When a vulnerable device parsed the image, the payload quietly ran in the background.
The fragile link in the chain was the vendor specific library, including the libimagecodec.quram.so component. Once triggered, the exploit gave the intruder the same permissions as a powerful system level app. From there, the spyware planted itself and reached out to command servers for instructions.
What could the spyware do after it landed?
In short, almost anything a determined stalker or intelligence operator would want. Researchers documented the following capabilities:
- Record audio through the microphone and monitor calls
- Track the device’s location in near real time
- Exfiltrate photos, contacts, messages, and call logs
- Harvest app data and detailed device fingerprints
- Hide its presence and persist through routine reboots
The toolset looks commercial in quality and design. It favors stealth and long term access, which is typical of software sold to state aligned customers and well funded operators. For a sense of how attackers are leveling up with automation and social engineering, see our look at AI driven cyberattacks.
Who was targeted and why does the focus matter?
Evidence points to a focused operation rather than random mass spam. Activity clustered around parts of the Middle East and North Africa, including Iran, Turkey, and Morocco, according to multiple security teams and national CERT reporting on related infrastructure. The target set and the quality of the exploit suggest a well resourced actor, possibly a government buyer or a private sector offensive actor selling to state clients. It mirrors the broader rise in industrial and political espionage we have covered, including the pressure on Korea’s electronics giants.
Attribution remains unsettled. Researchers have noted overlaps with infrastructure patterns used by known espionage crews, but no firm link has been made public.
Which Galaxy models are affected?
Samsung confirmed and patched the issue for supported models. Vulnerable phones included recent flagships such as the Galaxy S22, S23, and S24 families, along with the Z Fold4 and Z Flip4. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog and ordered federal agencies to update by early December 2025, a strong signal that the bug was under active attack.
Did Samsung fix the problem and when?
Yes. Samsung shipped a fix for CVE-2025-21042 in the April 2025 security update after researchers disclosed the issue. That update closes the specific zero click path used by LANDFALL. If your device has not installed security patches from April 2025 or newer, you should update immediately.
Recommended Tech
If your phone is stuck on an old patch, consider checking compatibility or upgrading. You can browse the latest Galaxy models with current security updates via the official Samsung shop on Amazon.
What should you do right now?
Update first. On your Galaxy, open Settings then Software update then Download and install. You want the April 2025 patch level or newer. You can also reduce the chance of zero click exposure by turning off automatic media downloads in messaging apps and by keeping Google Play Protect enabled. For broader protection across your digital life, services like Aura bundle identity and financial monitoring with device security tools.
Why this matters for the mobile industry
LANDFALL is a reminder that modern phones rely on huge stacks of third party code. A single vulnerable library can open the door to a silent compromise. The campaign reportedly ran for many months before the public patch landed, which shows how long a high end exploit can circulate. As attackers keep pushing, defenders need faster patch pipelines, layered defenses, and sharper detection for abuse of media parsers and similar components. For more technical background, read the analysis from Unit 42, coverage by Help Net Security, and this practical guidance from Malwarebytes.
How to check and update your Galaxy for the LANDFALL fix
- Open Settings on your Samsung Galaxy.
- Tap Software update.
- Tap Download and install, then wait for the process to complete.
- Restart your phone if prompted.
- Confirm your Android security patch level is April 2025 or newer under Settings then About phone then Software information.
- Optional hardening: in WhatsApp open Settings then Storage and data then Media auto download and turn auto downloads off. Repeat for other messaging apps that auto fetch media.
Frequently asked questions
What is CVE-2025-21042 and why is it dangerous?
It is a memory corruption bug in Samsung’s image processing code that lets attackers run code when a vulnerable device parses a malicious image. Because message apps often auto process images, the attack can require no user interaction.
How did attackers deliver the LANDFALL payload?
They sent specially crafted DNG image files through messaging apps such as WhatsApp. The phone’s parser handled the file as soon as it arrived, which triggered the exploit on unpatched devices.
How can I tell if my Samsung Galaxy is patched?
Go to Settings then About phone then Software information and check the Android security patch level. If it is April 2025 or newer, the vendor fix for CVE-2025-21042 is included.
Which models were at risk from this zero click attack?
Research highlighted recent flagships including Galaxy S22, S23, S24, Z Fold4, and Z Flip4. Other supported models received patches through Samsung’s normal security update cadence.
Will a factory reset remove LANDFALL if I suspect infection?
A reset removes most user space malware, but persistence techniques vary. Update the phone first, then consider a reset, and avoid restoring untrusted backups. If you face high risk, seek professional incident response.
Does turning off media auto download in messaging apps help?
Yes, it reduces exposure to image based zero click vectors. It is not a substitute for patching but it is a useful hardening step.
Is this the same as general Android malware on the Play Store?
No. LANDFALL is delivered through an exploit chain and behaves like targeted spyware. It does not rely on tricking users to install a malicious app from the store.
