What Is LANDFALL Spyware? Inside the Zero-Click Photo Attack That Targeted Samsung Galaxy Phones

LANDFALL Spyware, a new type of spyware that targets Samsung Galaxy smartphones through a single malicious image file, has sent shockwaves through the cybersecurity world. Researchers at Palo Alto Networks’ Unit 42 found that the advanced Android spyware took advantage of a zero-day flaw in Samsung’s image-processing system. This let hackers get to calls, photos, and messages without the user having to do anything. Sources say that the secret campaign ran from the middle of 2024 to the beginning of 2025 and mostly went after users in the Middle East. This is yet another reminder that even the most powerful devices can be hacked without anyone knowing.

What is LANDFALL?

• LANDFALL is a new type of Android spyware that has never been seen before. It is called “commercial-grade” spyware instead of just malware.
• It specifically went after Samsung’s Galaxy S22/S23/S24, Z Fold4, and Z Flip4 flagship devices by taking advantage of a flaw in Samsung’s Android image-processing library.
• It looks like the campaign was going on for months (from mid-2024 to early 2025) before it was made public.
• Researchers say that the campaign was more about spying (targeted, stealthy) than spreading malware to a lot of people.

How LANDFALL Spyware work (infection & technical details)

• The exploit chain took advantage of a zero-day flaw in Samsung’s image-processing library (libimagecodec.quram.so) called CVE 2025 21042 (also known as SVE-2024-1969).
• Attackers put the payload into image files that looked harmless (Digital Negative, DNG format) and added a ZIP archive to the end. The code ran when the weak library processed it.
• Delivery vector: through messaging apps, especially WhatsApp. For example, bad image files sent to victims’ devices.
• It is thought to have been a zero-click or low-interaction attack, which means that the user didn’t have to open anything.
• After it was installed, the spyware had different parts that worked together: a loader (.so file), a SELinux policy manipulator (to get higher privileges and stay on the system), and modules for spying.

Capabilities of LANDFALL Spyware

• Once LANDFALL gets into a device, it can:
  • Use a microphone to record sound.
  • Keep track of exact location (GPS).
• Take out photos, videos, call logs, contacts, SMS, and files.
• Work in secret (for example, by changing SELinux policies or hiding itself).

LANDFALL Spyware Timeline & scope

• The first bad DNG files were uploaded to VirusTotal in July 2024.
• September 2024: Samsung is told about the flaw privately.
• In April 2025, Samsung fixed CVE-2025-21042 in its security update.
• From the middle of 2024 to the beginning of 2025: An active campaign against devices.
• November 2025: Researchers will make LANDFALL public.
• Geographic scope: Based on submission data, the main targets seem to be in the Middle East (Iraq, Iran, Turkey, Morocco).

LANDFALL Spyware Attribution & motive

• The researchers at Unit 42 (of Palo Alto Networks) have not definitively linked the spyware to a particular entity.
  • But: Some patterns in the infrastructure are similar to those of known “private-sector offensive actors” (PSOAs) in the Middle East.
  • Researchers observed a resemblance to infrastructure associated with the group Stealth Falcon (also referred to as FruityArmor), which is allegedly connected to the UAE, though no definitive attribution exists.
• The motive seems to be spying or surveillance instead of making a lot of money. The planned length of time, tools, and stealth all point to high-value targets

Why it matters

• It shows how image-processing flaws can make even flagship devices (Samsung’s best models) less secure.
• The attack used bad image files, which seem like harmless media types, to show that even handling pictures can be abused.
• Zero-click or very little user interaction means a very high risk for the people being targeted.
• Many devices may have been quietly hacked because the flaw was unknown and not fixed for months.
• It shows a bigger trend: image parsing libraries on both Android and iOS have security holes that are being used for spying.

What can users (and organizations) do?

For users:

• Make sure your Samsung device has the most recent firmware installed, especially if it is a Galaxy S22, S23, S24, Z Fold4, or Z Flip4. Updating is very important because the patch came out in April 2025.
• Be careful about getting image files (especially DNG/raw types) from people you don’t know or through messaging apps, even if they look like harmless photos.
• Set up strong security: make sure the OS is real, don’t side-load apps you don’t know, and think about resetting your device if you think it has been compromised.

For organizations / security teams:

• Keep an eye out for strange communications from endpoints, like connections to suspicious domains or processing of strange image file types.
• Use mobile endpoint protection that can find zero-click attacks and exploit chains that are based on images.
• Keep up with threat intelligence—this campaign says that image-parsing zero-days are becoming more common; other platforms may use similar methods.

Conclusion:

Every smartphone user should be aware of the LANDFALL spyware case. Hackers could see into people’s lives with just one image. No clicks, no downloads, just pure stealth. Samsung has already fixed the problem, but millions of people need to know how important it is to keep their phones up to date and stay away from files they don’t know about. Your privacy is only as strong as the last security patch you installed in today’s connected world. It’s important to stay alert to keep your personal information safe.

Also read: Dr. Reddy’s Laboratories Nearly Loses ₹2.16 Crore in Cyber Fraud: Inside the Pharma Email Hack