Samsung Galaxy users have been targeted by commercial spyware for several months.
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
Quick Read
- LANDFALL spyware targeted Samsung Galaxy devices employing a zero-day exploit.
- The malware took advantage of a weakness in Samsung’s image processing library.
- For at least seven months, LANDFALL was operational, focusing on users in the Middle East.
- Devices impacted include the Galaxy S22, S23, S24, Z Fold4, and Z Flip4.
- Google’s VirusTotal along with security experts identified the spyware’s sweeping data collection abilities.
- This spyware is affiliated with commercial spyware vendors and potentially linked to groups associated with the UAE.
Introduction
Researchers from Palo Alto Networks’ Unit 42 division have uncovered an unreported commercial spyware that targets Samsung Galaxy devices. Named LANDFALL, this malware exploited a zero-day vulnerability in Samsung’s image processing library, primarily affecting users in the Middle East.
Details of the Exploit
The LANDFALL spyware utilized CVE-2025-21042, a significant vulnerability in Samsung’s libimagecodec.quram.so library, which handles Digital Negative (DNG) raw image files. This enabled the malware to spread through DNG files sent via WhatsApp, allowing devices to be compromised without user interaction.
Evidence indicates that the malware operated from July 2024 to February 2025, prior to Samsung addressing the vulnerability in April 2025. A related issue, CVE-2025-21043, was later resolved in September 2025.
Impact on Users
LANDFALL’s features included audio recording, phone call interception, access to call history, and extraction of contacts, SMS messages, photos, and arbitrary files from compromised devices. It also allowed ongoing location tracking, granting attackers significant surveillance capabilities.
The spyware notably targeted the Samsung Galaxy S22, S23, S24 series, in addition to Z Fold4 and Z Flip4 models.
Technical Analysis
Unit 42’s investigation found that LANDFALL possessed a modular structure, permitting additional features to be downloaded after infection. The command and control setup consisted of six servers linked to domains associated with malicious activities. The infrastructure and domain patterns showed resemblances to known threat groups, including Stealth Falcon.
Despite these discoveries, conclusive attribution to a specific threat actor remains uncertain. The malware is monitored under the identifier CL-UNK-1054.
Similar Vulnerabilities
The LANDFALL campaign is indicative of a wider trend of exploited DNG image processing vulnerabilities across mobile platforms. In 2025, Apple also addressed a comparable zero-day vulnerability (CVE-2025-43300) that was exploited in combination with a WhatsApp vulnerability (CVE-2025-55177) for remote code execution.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the Samsung vulnerability in its Known Exploited Vulnerabilities (KEV) list.
Summary
The identification of LANDFALL spyware emphasizes the ongoing threat posed by zero-day vulnerabilities, particularly those affecting widely used mobile devices. While Samsung’s swift action to address the vulnerabilities is commendable, this incident highlights the necessity for ongoing vigilance and security practices to safeguard users against advanced cyber threats.