Landfall spyware quietly hit Samsung Galaxy phones with zero click image attacks

A new Android spyware family called LANDFALL has been used in a long running, targeted campaign against Samsung Galaxy phones. The attackers abused a zero day in Samsung’s image processing stack and used malicious DNG image files, likely delivered over messaging apps, to compromise devices without any taps. This is commercial grade tooling that looks built for government style surveillance, not a random crimeware run.

What LANDFALL actually is

LANDFALL is a full surveillance suite for Android. Once it lands on a phone it can record from the microphone, capture calls, pull photos and videos, exfiltrate SMS, contacts, and call history, and track your location in the background. The code is structured, modular, and maintained in a way that feels like a paid product. That is why researchers describe it as commercial grade spyware rather than yet another hobby project trojan.

The Samsung zero day that opened the door

The exploit chain hinges on a vulnerability tracked as CVE 2025 21042 inside Samsung’s Android image processing library libimagecodec.quram.so. The bug allows remote code execution through specially crafted DNG image files. The attackers appended a ZIP archive to the end of a DNG, which unpacked into shared object libraries and loader code that bootstrapped LANDFALL on the device. Samsung fixed the flaw in its April 2025 security update, but the spyware had been using it quietly before that patch landed.

Likely a zero click WhatsApp style delivery

Based on file names and context, researchers believe many of the malicious images were delivered through messaging, most likely WhatsApp. The DNGs use names that mimic normal media, like the default WhatsApp image naming pattern. That suggests a zero click scenario where the simple act of receiving and the system parsing the media file is enough to trigger the exploit. The victim does not have to tap a link or open a document. That approach tracks with other high end mobile spyware campaigns we have seen over the last few years.

Who and where was targeted

This was not a broad, global spray. Telemetry and infrastructure hints point to targets in Iraq, Iran, Turkey, and Morocco. That profile looks like government or intelligence driven espionage in the Middle East region rather than ad fraud or random credential theft. LANDFALL is tuned for recent Samsung devices, and the infrastructure has the feel of a private sector offensive actor rather than a casual ransomware crew.

Devices and versions in the blast radius

Samples and configuration data reference several recent Samsung flagships, including:

Galaxy Z Fold4
Galaxy Z Flip4
Galaxy S22 series
Galaxy S23 series
Galaxy S24 series

LANDFALL appears to target phones running Android 13 through Android 15 with Samsung’s own builds. Older devices may share the vulnerable library, but the spyware authors clearly tested and optimised for the premium models that high value targets are more likely to carry.

What LANDFALL can do once it is on the phone

Once the exploit lands and the payload is unpacked, LANDFALL behaves like other top tier mobile implants. Capabilities include:

Recording microphone audio and phone calls.
Tracking GPS location and movement patterns.
Collecting SMS messages, contacts, and call logs.
Reading and exfiltrating media files and documents.
Talking to command and control servers over tailored infrastructure.

The whole point is to stay quiet. High end spyware tries hard not to spike CPU, battery, or network usage in obvious ways on a fast device. That is one reason operations like this can run for months before anyone notices and starts hunting for them.

Commercial spyware fingerprints and the Stealth Falcon link

The infrastructure, tooling quality, and targeting suggest a private offensive shop working for state customers. Unit 42 and others have called out similarities between LANDFALL’s infrastructure and activity previously attributed to Stealth Falcon, a group long linked to surveillance operations out of the Gulf region. The public write ups stop short of hard attribution, but everything about this looks like the private sector offensive actor pattern we keep seeing on mobile now.

The timeline that should make vendors nervous

The rough public timeline looks something like this. Malicious DNG samples start showing up around mid 2024. The Samsung vulnerability is privately reported later in the year. The April 2025 update finally delivers a fix to supported Galaxy devices. Only after that, while researchers are digging into other zero click image chains, does LANDFALL get fully documented and disclosed. That means there was a window where high end Samsung phones were being quietly exploited and the only people who knew the details were the attackers and a very small set of defenders.

Why this matters beyond Samsung

You can treat LANDFALL as a very loud signal about mobile threat models. Image codecs and media parsers are now front line attack surface. Messaging apps that auto handle media are a convenient trigger. Commercial spyware vendors are clearly happy to invest in complex zero day chains to reach specific handsets. This is not just an iOS problem. Android vendors, especially those with their own libraries like Samsung, are in the same game whether they like it or not.

If you run a Galaxy, what should you do

Most people are not the kind of target LANDFALL was built for, but the basics still apply:

Make sure your phone is on the latest Samsung security patch level. Anything newer than April 2025 includes the fix for CVE 2025 21042.
High risk users should think about retiring devices that cannot take current firmware, rather than leaving them as backup phones.
Where possible, tighten media handling settings in messaging apps so they do less automatic work in the background.
Enterprises should pair MDM with mobile threat defence tools that can monitor for odd processes, network patterns, or certificates.

For vendors, the lesson is just as clear. Treat your image and media stack like exposed surface, invest in hardening and fuzzing, and be ready to ship emergency updates quickly when the next zero click chain surfaces. LANDFALL is unlikely to be the last time we see this playbook on Android.