Samsung Zero-Day Spyware ‘LANDFALL’ Exploits Millions of Phones

A sophisticated, commercial-grade spyware campaign dubbed “LANDFALL” has been actively exploiting a critical zero-day vulnerability in millions of Samsung Galaxy devices, security researchers at Palo Alto Networks Unit 42 revealed on November 7, 2025. The attack, which leverages a previously unknown flaw in Samsung’s image processing library, allows hackers to gain complete control over a device through a “zero-click” exploit, meaning the victim does not need to interact with anything for their device to be compromised.

The campaign, believed to have been active since at least July 2024, utilized a critical vulnerability tracked as CVE-2025-21042 (CVSS score: 8.8) to deploy a powerful spyware implant on some of Samsung’s most popular flagship phones. While Samsung patched the flaw in its April 2025 security update, the full scale and nature of the attack had not been made public until now, revealing that millions of users were unknowingly vulnerable for nearly ten months.

Expert Insight: “This is a textbook example of a state-sponsored-level attack being deployed in the wild. The use of a zero-click exploit against a core system library represents a significant escalation in mobile threats. It completely bypasses user awareness and traditional mobile security measures, making it one of the most insidious types of attacks we’ve seen targeting Android devices. The LANDFALL spyware is a stark reminder that for high-value targets, the phone in your pocket is the most vulnerable asset you own”.​

Anatomy of the LANDFALL Attack

The LANDFALL campaign was a masterclass in stealth and sophistication, combining a novel vulnerability with a common delivery vector to create a powerful weapon.

• The Vulnerability (CVE-2025-21042): The attack targets a critical out-of-bounds write flaw in a Samsung system library called "libimagecodec.quram.so", which is responsible for processing images. This flaw allows an attacker to execute arbitrary code on the device remotely.​
• The Delivery Vector: The exploit was cleverly embedded within malicious DNG image files, which were then sent to victims via popular messaging apps like WhatsApp. Because the vulnerability exists in a core system library that automatically processes images, the victim did not need to open the image or click on a link for the attack to succeed.
• The Payload (LANDFALL Spyware): Once the exploit is triggered, it deploys the LANDFALL spyware implant. This commercial-grade spyware is designed for broad surveillance, allowing the attackers to:
  • Exfiltrate photos, messages, and contact lists.
  • Record call logs and track the device’s precise GPS location.
  • Remotely activate the device’s microphone for real-time audio surveillance.

The attack specifically targeted a range of popular Samsung flagship devices, including the Galaxy S22, S23, and S24 series, as well as the Z Fold 4 and Z Flip 4. Any of these devices running Android versions 13 through 15 were vulnerable if they had not installed the April 2025 security patch.​

The Rise of Commercial Spyware

The LANDFALL campaign is the latest example of a disturbing trend: the proliferation of powerful, “commercial-grade” spyware available to governments and other entities worldwide. Tools like NSO Group’s Pegasus have demonstrated the immense power of zero-click exploits to target journalists, activists, and political opponents.

These spyware packages operate with a level of stealth and sophistication that renders traditional mobile security tools, such as antivirus and MDM solutions, largely ineffective. They often target vulnerabilities in core operating system components or even the baseband processors that handle cellular communication, areas of the device that are opaque to most security software.​

The discovery of LANDFALL suggests a growing marketplace for these “private sector offensive actors” (PSOAs), who develop and sell these powerful cyberweapons to a wide range of clients. This democratization of state-sponsored attack capabilities poses a significant threat to mobile security globally.​

Mitigation and Response

In response to the discovery of CVE-2025-21042, Samsung issued a patch as part of its April 2025 security update. All users of Samsung Galaxy devices are strongly urged to ensure their devices are running the latest available software and have installed all security patches from April 2025 or later.​

However, the LANDFALL incident serves as a critical reminder of the vulnerability of our mobile devices. As attackers increasingly leverage sophisticated zero-click exploits, relying on user awareness is no longer a viable defense strategy. The security of our most personal devices will depend on the continuous, proactive efforts of device manufacturers to identify and patch these deep-seated vulnerabilities before they can be widely exploited.

SOURCES

1. https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/
2. https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html
3. https://www.forbes.com/sites/daveywinder/2025/11/08/samsung-spyware-attack—critical-landfall-0-day-used-whatsapp-images/
4. https://www.hindustantimes.com/technology/samsung-galaxy-phones-were-hacked-for-10-months-photos-and-more-shared-101762581412691.html
5. https://indianexpress.com/article/technology/tech-news-technology/what-is-landfall-spyware-samsung-galaxy-phones-android-targets-10356852/
6. https://blog.soteradigital.com/blog/why-standard-mobile-security-fails-against-state-sponsored-spyware
7. https://securityaffairs.com/184331/security/landfall-spyware-exploited-samsung-zero-day-cve-2025-21042-in-middle-east-attacks.html
8. https://www.drishtiias.com/daily-updates/daily-news-analysis/state-sponsored-cyber-attacks
9. https://www.sentinelone.com/blog/so-state-sponsored-attackers-are-targeting-your-mobile-device-now-what/
10. https://en.wikipedia.org/wiki/Pegasus_(spyware)
11. https://comsecuris.com/slides/recon2016-breaking_band.pdf
12. https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf
13. https://www.linkedin.com/pulse/hackers-breach-samsung-galaxy-phones-using-single-xvrke
14. https://teamwin.in/critical-android-0-click-vulnerability-in-system-component-allows-remote-code-eexecution-attacks/
15. https://socprime.com/blog/cve-2025-48593-vulnerability-in-android/
16. https://www.mobilehackinglab.com/blog/fuzzing-shannon-baseband-firmware
17. https://www.linkedin.com/pulse/critical-android-0-click-vulnerability-enables-remote-code-gtiec
18. https://www.deccanherald.com/technology/android-spyware-hackers-exploit-zero-day-vulnerability-to-attack-samsung-galaxy-phones-via-whatsapp-3793024
19. https://source.android.com/docs/security/bulletin/2025-11-01
20. https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-On-5G-Smartphones.pdf