Landfall spyware targets Samsung phones in 0-day exploit

Landfall targets Samsung

A newly discovered spyware campaign called Landfall exploited a zero-day vulnerability in Samsung Galaxy phones. The malicious actors used specially crafted DNG image files to deliver the spyware.

This issue was tracked to CVE-2025-21042 in Samsung’s image-processing library. According to Unit 42 and subsequent reporting, the campaign was active from mid-2024 into early 2025.

Samsung released fixes in 2025, and users should follow Samsung’s official security bulletin for their device’s exact patch date.

Exploited zero-day vulnerability

Landfall abuses an out-of-bounds write bug (CVE-2025-21042) in Samsung’s libimagecodec.quram.so component. This zero-day allows attackers to execute code when the phone parses a malicious image.

Unit 42 found that when an app or the system automatically processes incoming media, the exploit can operate without explicit user interaction. Under those conditions, the attack behaves like a zero-click exploit and is especially stealthy. That makes the attack “zero-click” and therefore more dangerous and stealthy.

Delivery through WhatsApp images

Researchers found that the attackers used WhatsApp as the delivery channel. They sent DNG (Digital Negative) files disguised as normal photos or JPEGs. When the phone processes these files, the embedded payload (a ZIP archive) is triggered, launching the spyware.

The use of WhatsApp is particularly effective because many apps automatically process and preview incoming media. This method lets spyware slip in quietly, without raising suspicion.

Infection timeline and campaign length

Unit 42 of Palo Alto Networks traced the Landfall campaign back to July 2024, and it remained active into early 2025. This long-running operation indicates that attackers had persistent access to vulnerable Samsung devices.

After disclosure, Samsung issued security updates in 2025 addressing the vulnerability. However, the time between exploit discovery and patching gave attackers a wide window to spy. The extended exposure is a big concern for anyone targeted during that period.

Targeted Samsung models

Landfall appears to have targeted specific Galaxy models: researchers named the S22, S23, S24, Z Fold 4, and Z Flip 4 among those affected. These are mostly flagship or high-end devices, which suggests a precise, high-value target set.

Not all Samsung devices may have been vulnerable; the scope looks focused. The choice of models supports the idea that this was not a broad, indiscriminate attack but a carefully planned espionage campaign.

Full surveillance capabilities

Once installed, Landfall can record audio from the microphone, monitor calls, track the device’s location, and collect photos, contacts, SMS, call logs, and files. It also fingerprints the device and can download additional modules over time.

The spyware uses a modular architecture, giving attackers flexibility in what they want to do once the device is compromised. This kind of full-spectrum surveillance makes Landfall particularly dangerous.

Evasion and persistence mechanisms

Landfall isn’t a simple Trojan; it includes components that modify SELinux policies on the device to gain deeper access and maintain persistence. One module (loader) fetches further payloads from its command-and-control (C2) server.

Unit 42 notes a module that attempts to modify SELinux policies to weaken system constraints and support persistence, which makes removal more difficult. Because of this, even after initial infection, Landfall can remain stealthy and hard to detect without advanced tools.

Geographic focus and attribution

Researchers believe the Landfall operation primarily targeted individuals in the Middle East, including countries like Iraq, Iran, Turkey, and Morocco.

The infrastructure used by Landfall shows some overlap with known surveillance groups, though no definitive attribution has been confirmed. The use of commercial-grade spyware and regional focus strongly suggests this is a targeted, high-stakes cyber operation.

Patch and mitigation timeline

Samsung fixed the exploited vulnerability in April 2025, after being alerted by security researchers. That means devices updated to April’s security release should be safe at least from this exploit.

However, the revelation comes months after the campaign started, leaving a long risk window. Users who delayed updates may have been exposed for an extended time, so updating remains critical.

Strategic implications for Samsung security

This incident is a wake-up call for Samsung and Android OEMs: image-processing libraries are a serious attack vector. Spyware developers are increasingly turning to “safe-looking” media files for zero-click exploits.

For Samsung, it underscores the need for rigorous fuzzing and security testing of media parsers. The bug also raises larger concerns about the security of pre-installed system components.

What this means for users

Samsung users should immediately check whether their device is running the April 2025 patch (or later). Avoid opening suspicious media files, even from trusted contacts, until you’re confident your device is secure.

Use features like Google Play Protect and Android security settings to monitor unusual app activity. Treat messaging attachments with caution; even “photo” files could be dangerous in some threat models.

Broader threat landscape

Landfall is part of a growing trend: spyware campaigns using crafted media files to penetrate devices without user interaction. It reflects how surveillance tools are evolving, becoming more covert and sophisticated.

As zero-day exploits in system libraries become more common, users and organizations alike must take mobile threat models seriously. This isn’t just about data theft, it’s about highly targeted intrusion.

Is your Android safe from fake apps? Explore how Android spyware ClayRat pretends to be WhatsApp, TikTok, and YouTube apps.

What to do

Landfall is a high-profile spyware threat, exploiting a serious zero-day in Samsung’s image library to target Galaxy devices via WhatsApp.

It had deep surveillance capabilities, targeted specific models, and remained active for many months. The patch was released, but only updating your phone fully clears the risk.

Ready to secure your iPhone? Discover Apple warns of four spyware campaigns targeting iPhones, iPads, and Macs.

Do you rely on security updates the moment they arrive, or do you delay them? Tell us in the comments.

Read More From This Brand:

• This spyware uses your webcam to snap incriminating photos
• Samsung’s latest update resolves 34 vulnerabilities
• Stop Samsung and LG TVs from spying on you

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.