**Zero-Day Vulnerability in Samsung Devices Allowed LANDFALL Spyware to Operate Undetected**
A zero-day vulnerability (CVE-2025-21042) discovered in Samsung’s Android image processing library enabled attackers to embed sophisticated spyware called LANDFALL into various Samsung devices, including Galaxy smartphones.
### What is a Zero-Day Vulnerability?
A zero-day vulnerability is a security flaw unknown to the software developer, giving them zero days to develop and release a patch before potential exploitation by attackers.
### About Samsung’s Image Processing Library
Samsung’s Android image processing library is responsible for decoding and processing various image formats. This includes some proprietary formats unique to Samsung devices. The recently discovered vulnerability resided within this component, making it an attractive target for attackers.
### The LANDFALL Spyware Campaign
LANDFALL spyware specifically targeted certain Samsung Galaxy phones, operating stealthily until Samsung patched the vulnerability in April 2025. However, the existence and exploitation of this spyware went unreported publicly until this past week.
According to cybersecurity experts at Palo Alto Networks’ Unit 42, LANDFALL was actively operating in the wild in early 2024—months before the patch was issued. Despite rumors linking WhatsApp to the delivery of this exploit, Meta (WhatsApp’s parent company) has firmly denied any involvement. Meta stated there is no evidence supporting claims that WhatsApp was used to distribute the malware.
### Details of the LANDFALL Exploit
The spyware infiltrated devices through a maliciously crafted image file designed to exploit the vulnerability in Samsung’s image processing library. Notably, no user interaction such as clicking was required—simply receiving the image on a targeted Galaxy device was enough to compromise it.
Once infected, LANDFALL allowed attackers to:
– Record microphone audio and phone calls
– Track GPS location in real time
– Access photos, messages, contacts, call logs, and browsing history
– Evade antivirus detection and remain active even after device reboots
The spyware primarily targeted Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models. Interestingly, the newer Galaxy S25 series was not affected.
### Targeted Espionage Campaign
Itay Cohen, Senior Principal Researcher at Palo Alto Networks’ Unit 42, emphasized that LANDFALL attacks were highly targeted rather than mass-distributed. The motive behind these attacks was espionage, with primary victims located in the Middle East—including countries such as Turkey, Iran, Iraq, and Morocco.
### Duration of Vulnerability and Samsung’s Response
The campaign reportedly began in July 2024 and continued until Samsung released a patch in April 2025—a 10-month window during which affected Galaxy models were vulnerable. Notably, Samsung did not publicly disclose details regarding the vulnerability or its patch at that time.
### Recent Developments
Following the LANDFALL incident, Samsung patched another zero-day vulnerability (CVE-2025-21043) in the same image processing library in September 2025. This latest patch prevents similar attacks from occurring.
### Protecting Yourself Against Spyware Like LANDFALL
Security experts advise Samsung Galaxy users with devices running Android versions 13 to 15 to:
– Ensure installation of the April 2025 Android Security Update or any later updates
– Disable automatic media downloads in messaging apps such as WhatsApp and Telegram
– Enable Android’s Advanced Protection mode or iOS’s Lockdown Mode for high-risk users
By taking these preventive steps, users can greatly reduce the risk of falling victim to similar spyware threats in the future.
—
**Are you worried about malware like LANDFALL?**
– Yes, they are all over the place.
– No, I’ve never had a problem.
– I don’t know.
*Stay informed and keep your devices updated to stay protected.*
https://www.phonearena.com/news/spyware-attacks-on-galaxy-phones_id175575