Samsung Zero-Day Flaw Exploited to Deliver LANDFALL Spyware on Galaxy Devices

By / November 8, 2025

Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware

Introduction

A major security vulnerability discovered in Samsung Galaxy smartphones has exposed thousands of users to targeted cyber-espionage.
Researchers from Palo Alto Networks Unit 42 revealed that a zero-day flaw (CVE-2025-21042) in Samsung’s Android software allowed hackers to secretly deploy a powerful spyware tool called LANDFALL.
Although Samsung patched the issue in April 2025, the exploit was already being used “in the wild,” compromising high-value targets across several Middle Eastern countries.

This article explains how the attack worked, which devices were affected, and why it highlights the growing sophistication of mobile spyware threats.

What Is a Zero-Day Vulnerability?

A zero-day vulnerability refers to a previously unknown software flaw that attackers exploit before the vendor becomes aware of it or releases a fix.
Because developers have zero days to respond, such flaws are extremely valuable to cybercriminals and state-sponsored hackers.

In Samsung’s case, CVE-2025-21042 was found in the libimagecodec.quram.so library, a core component handling image-decoding functions. The weakness allowed remote code execution, giving attackers the ability to run arbitrary commands on the device without user consent.

Discovery and Patch Timeline

Security experts at Unit 42 discovered the bug after analyzing suspicious files uploaded to VirusTotal.
They determined that the vulnerability had been exploited months before Samsung issued a patch in April 2025.

  • Vulnerability ID: CVE-2025-21042
  • Severity Score (CVSS): 8.8 (High)
  • Component Affected: libimagecodec.quram.so
  • Patch Release: April 2025
  • Active Exploitation: Before April 2025

Samsung also later disclosed another related flaw, CVE-2025-21043, within the same library that was similarly exploited as a zero-day in September 2025.

How the LANDFALL Spyware Was Delivered

Infection through WhatsApp Images

Investigators found that attackers distributed malicious Digital Negative (DNG) image files through WhatsApp.
These images appeared harmless — often titled like “WhatsApp Image 2025-02-10 at 4.54 PM.jpeg” — but secretly contained a ZIP archive appended to the end of the file.
When the phone’s image library processed the file, the hidden payload was extracted, enabling the exploit.

The Technical Exploit Chain

  1. User receives the malicious DNG file on WhatsApp.
  2. Image-decoding triggers the out-of-bounds write flaw in libimagecodec.quram.so.
  3. A shared object (.so) library is unpacked and executed.
  4. This loader installs the LANDFALL spyware module.
  5. A second .so file modifies the phone’s SELinux policy, granting elevated permissions and ensuring persistence.

Some evidence suggested that a zero-click method — requiring no user interaction — might have been used, though researchers could not fully confirm this scenario.

Capabilities of the LANDFALL Spyware

Once executed, LANDFALL acts as a full-featured surveillance tool, capable of harvesting:

  • Microphone recordings and surrounding audio
  • GPS location data
  • Photos and videos
  • Contacts and call logs
  • SMS and messaging content
  • Internal files and documents

The spyware communicates with a command-and-control (C2) server via HTTPS, entering a beaconing loop to receive additional payloads.
This modular design enables attackers to remotely install new components for extended spying operations.

According to Unit 42’s Itay Cohen, “LANDFALL is a modular spyware framework — the loader we analyzed is clearly designed to fetch and execute additional components from the C2 infrastructure.”

Affected Devices

The campaign specifically targeted Samsung’s Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models — some of the company’s most popular flagship devices.
No evidence yet suggests that the newest Galaxy generation was affected, but security analysts caution that variants of the same exploit could resurface.

Regions Targeted

Unit 42 researchers traced most infection reports to the Middle East, particularly Iraq, Iran, Turkey, and Morocco.
Submission data from VirusTotal confirmed the region-specific focus, indicating that attackers likely selected targets for cyber-espionage rather than random consumer infection.

Connection to Other Campaigns

Possible Links to Stealth Falcon (FruityArmor)

Investigators noticed similarities between LANDFALL’s C2 infrastructure and domain registration patterns associated with Stealth Falcon (also known as FruityArmor), a threat actor previously linked to state-sponsored surveillance operations.
However, as of October 2025, no direct overlap between the groups has been confirmed.

Parallel Exploits on Apple and WhatsApp

Around the same time, WhatsApp acknowledged its own vulnerability (CVE-2025-55177) that was chained with Apple’s CVE-2025-43300 to target fewer than 200 high-profile users on iOS and macOS.
This overlap illustrates how attackers increasingly leverage multi-platform zero-days for coordinated surveillance operations.

Evidence of Extended Exploitation

Unit 42’s timeline analysis revealed LANDFALL samples dating back to July 2024, months before the April 2025 patch.
Surprisingly, researchers found no major functional changes between early and late variants, suggesting the spyware was stable and actively maintained.

Even after Samsung’s patch, related exploit chains remained active through August and September 2025, and some infrastructure servers are still online — potential signs of ongoing or follow-on activity.

Why This Matters for Mobile Security

Growing Sophistication of Spyware

LANDFALL demonstrates how advanced Android spyware has become — capable of bypassing multiple layers of device security and maintaining persistence undetected.
Such campaigns require high technical expertise and are likely backed by well-resourced actors with strategic interests.

Public Repositories as Risk Vectors

Researchers warn that exploit samples often remain in public repositories for months before being fully analyzed.
This accessibility allows criminals to reuse old vulnerabilities to craft new attacks even after official patches.

The Need for Prompt Security Updates

Many users delay installing system updates because they seem routine or non-critical. However, this incident shows how outdated software creates real risk of spyware infection.

Protecting Your Device from Zero-Day Attacks

1️⃣ Keep Your Device Updated

Always install the latest security updates as soon as they become available. Samsung and other manufacturers release monthly patches to address critical flaws.

2️⃣ Avoid Opening Unknown Media Files

Do not open suspicious images or attachments received via messaging apps like WhatsApp or Telegram, especially from unknown numbers.

3️⃣ Use Reliable Security Software

Install trusted mobile security apps that can detect and block malicious payloads or unauthorized permissions.

4️⃣ Limit App Permissions

Review app permissions in Settings and revoke access to microphone, camera, and location for non-essential apps.

5️⃣ Enable Play Protect and Backups

Activate Google Play Protect and regularly backup your data to the cloud or an external device.

Expert Insights and Industry Response

Security analyst Itay Cohen emphasized that the LANDFALL campaign highlights the importance of cross-industry collaboration between device manufacturers, researchers, and users.
Although Samsung responded quickly once alerted, the months-long gap between initial exploitation and public patch shows how difficult it is to defend against zero-day threats.

Both Apple and Meta (WhatsApp) also patched their vulnerabilities promptly after discovery, indicating a wider industry effort to close high-risk security gaps.

Frequently Asked Questions (FAQs)

What is LANDFALL Spyware?

LANDFALL is a commercial-grade Android spyware framework used to steal data from Samsung Galaxy devices by exploiting a zero-day flaw in the image codec library.

Which Samsung models were targeted?

Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models were the primary targets in the campaign.

How was the spyware delivered?

Attackers sent malicious DNG image files via WhatsApp, which exploited the image-processing library to execute LANDFALL payloads.

Has Samsung fixed the issue?

Yes. Samsung patched the vulnerability in April 2025. Users are strongly advised to update their devices to the latest firmware.

Who is behind the attacks?

The attackers remain unknown, but indicators link LANDFALL’s infrastructure to the Stealth Falcon group known for state-sponsored espionage in the Middle East.

Conclusion

The Samsung LANDFALL incident serves as a reminder that no device is immune to cyber espionage.
As mobile devices store increasing amounts of personal and professional data, attackers will continue to seek zero-day flaws to gain access.

Samsung’s swift response helped mitigate further damage, but the case underlines the need for constant vigilance, rapid patch deployment, and user awareness.
By staying updated and cautious, users can protect themselves from becoming the next target of advanced spyware like LANDFALL.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

About Me_______

Experienced IT Administrator and Cybersecurity Expert with 18+ years in IT, Web Development & E-commerce. Specialized in securing systems, developing websites and strengthening IT infrastructure.

Quick Links_______

About

Disclaimer

Privacy Policy

Affiliate Disclosure

Terms of Service

Contact

Contact Info_______

P.O. Box : 2787

Ezdan – Oasis

Doha-Qatar

support@subashgajmer.com

+974 - 50073228

Connect with me on Social Media

Facebook Youtube Linkedin Instagram

Get In Touch

Stay always in touch !

Email

Copyrights © 2025 All Rights Reserved By INDRA GAJMER

Powerd By : Indra Gajmer

Scroll to Top