A zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library allowed attackers to embed spyware called LANDFALL in Samsung devices including Galaxy handsets. Here are some definitions; a zero-day vulnerability is one that no one knows about giving the developer zero days to come up with a way to patch the flaw. Samsung’s Android image processing library handles the decoding and processing of various image formats, including some formats that are proprietary to Samsung.
The LANDFALL spyware impacted certain Samsung phones
The thing is, LANDFALL was exploited in the wild before Samsung was able to patch the vulnerability this past April. However, the exploitation and the spyware employed have never been discussed publicly until this past week. LANDFALL was embedded in malicious DNG image files that were sent via WhatsApp. According to the Palo Alto Network, LANDFALL was operating in the middle of 2024 which was months before the vulnerability was patched.
As for the involvement of WhatsApp delivering the Samsung exploit, this has been denied by WhatsApp owner Meta according to a report from Forbes. Meta says that it has not found any basis to support this aspect of the story and says that there is no evidence to support the claim.
LANDFALL hasn't been a threat since this past April although another zero-day vulnerability was patched by Samsung just two months ago during September. This flaw (CVE-2025-21043) was also found in the imaging processing library. The patch prevents any attack from taking place.
The spyware used microphone recording, location tracking, and photos for surveillance
Itay Cohen, a senior principal researcher at Palo Alto Network's Unit 42 said that the LANDFALL attack was targeted at certain individuals and was not mass-distributed. Cohen says that the motive for these attacks was espionage.
Flowchart for the LANDFALL spyware. | Image credit-Techworm
We should point out that the LANDFALL spyware was designed for attacks against the Samsung Galaxy line mostly with targeted attacks taking place primarily in the Middle East including Turkey, Iran, Iraq, and Morocco. Being spyware, it shouldn't be a surprise that LANDFALL used microphone recording, location tracking, photos, contacts. A malformed image file, one that has been deliberately corrupted to set off a flaw in the software that reads the file, was used in the attacks. No clicks were required to exploit the vulnerability.
As soon as the image was received by the targeted Galaxy phone, the device was compromised. Once these photos were opened or previewed, the phone could be used by attackers to:
Record microphone audio and phone calls.
In real time, track GPS location.
Access photos, messages, contacts, call logs, and browsing history.
Hide from antivirus scans and even remain active after reboots.
Reports say that the Samsung phones most attacked by LANDFALL include the Galaxy S22 line. Galaxy S23 line, Galaxy S24 line, Z Fold 4 and Z Flip 4 foldables. The Galaxy S25 series was not targeted by the spyware.
For 10 months targeted phones were extremely vulnerable
There was a period of 10 months between the time the campaign began in July 2024 and when the flaw was patched in April of this year when the aforementioned Galaxy models were at the peak of their vulnerability. When Samsung patched the vulnerability this past April, the company made no public statement about it.
Are you worried about malware like LANDFALL?
Yes. They are all over the place.
71.43%
No. I've never had a problem.
14.29%
I don't know.
14.29%
Security experts recommend that Samsung Galaxy users with a handset powered by Android 13-15 make sure that they installed the April 2025 Android Security update or later just to make sure that they have the exploit patched on their phones. Automatic media downloads for messaging apps like WhatsApp and Telegram should be disabled. They should also enable Android’s Advanced Protection mode or iOS’s Lockdown Mode if they consider themselves to be a high-risk user.
Iconic Phones is now up for pre-order in the US!
Our new coffee table book, Iconic Phones, is a stunning visual tribute to the legends in the world of phones, featuring exclusive high-resolution photography, stories, quotes and fun trivia. Pre-order now and save 15% with code: PARENA15
Alan, an ardent smartphone enthusiast and a veteran writer at PhoneArena since 2009, has witnessed and chronicled the transformative years of mobile technology. Owning iconic phones from the original iPhone to the iPhone 15 Pro Max, he has seen smartphones evolve into a global phenomenon. Beyond smartphones, Alan has covered the emergence of tablets, smartwatches, and smart speakers.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:
New accounts created within the last 24 hours may experience restrictions on how frequently they can
post or comment.
These limits are in place as a precaution and will automatically lift.
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: