Samsung Galaxy Devices Targeted by LANDFALL Spyware Exploit

Security researchers have uncovered a significant vulnerability in Samsung Galaxy devices, specifically exploited by a spyware known as Landfall. This spyware campaign reportedly targeted users in the Middle East for nearly a year, as detailed by Palo Alto Networks' Unit 42.

The vulnerability, referred to as CVE-2025-21042, was an out-of-bounds write flaw found in the libimagecodec.quram.so component, allowing remote attackers to execute arbitrary code. It was first detected in July 2024 and was exploited through maliciously crafted images sent, likely via messaging apps like WhatsApp, with minimal interaction required from victims.

The flaw was patched by Samsung in April 2025. However, prior to the patch, the attacks were active, with targets primarily located in Iraq, Iran, Turkey, and Morocco. The spyware, dubbed Landfall, is described as commercial-grade and boasts extensive surveillance capabilities, enabling it to harvest sensitive data such as photos, messages, contacts, call logs, and even microphone recordings.

It specifically targeted the Galaxy S22, S23, and S24 series, as well as the Z Fold and Z Flip models. With a CVSS score of 8.8, the vulnerability posed a severe risk to users of these devices. According to The Hacker News, the exploitation of this zero-day flaw indicates a sophisticated attack, potentially driven by espionage motives rather than indiscriminate malware distribution.

Unit 42 noted that Landfall shares digital infrastructure with Stealth Falcon, a known surveillance vendor implicated in previous attacks against journalists and activists. However, the researchers were unable to definitively attribute the campaign to any specific government customer.

The spyware utilized a zero-click approach, although there were no confirmations of this occurring through WhatsApp. The attack's method included embedding malicious ZIP files within DNG images, which, once extracted, facilitated the spyware's installation and execution.

The spyware's command-and-control infrastructure remains a concern, suggesting ongoing surveillance activities even after the initial flaw was patched. While Samsung has addressed this vulnerability, the existence of similar exploit chains affecting both Samsung and iPhone devices indicates that the threat landscape remains active.

The findings underscore the critical need for heightened awareness regarding mobile security vulnerabilities, particularly within high-profile devices like the Samsung Galaxy series. As this incident unfolds, it prompts users and the smartphone industry to reassess their security measures against sophisticated threats that exploit zero-day vulnerabilities.