A sophisticated spyware campaign known as “Landfall” has been found targeting owners of Samsung Galaxy smartphones and likely other Android devices. The campaign was uncovered by cybersecurity researchers at Palo Alto Networks’ Unit 42, who say the tool used a zero-day remote code execution vulnerability (CVE-2025-21042) in Samsung’s image-processing library libimagecodec.quram.so. The flaw had a severity score of 9.8 out of 10 and allowed attackers to take full control of a device without user interaction.
According to the report, the spyware was embedded in malicious DNG image files that appeared to have been shared via WhatsApp or other messaging apps. When opened, the files extracted a hidden .zip archive which installed a loader and a policy-manipulator module granting elevated permissions through the system’s SELinux policies. Once active, the spyware could collect location data, microphone-recordings, call history, messages, photos, and files. It also had persistence mechanisms capable of executing native code, injecting libraries, and evading detection by removing the original image files.
The devices affected include Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 models. The campaigns appear to have focused on victims in the Middle East and North Africa, including Iraq, Iran, Turkey, and Morocco. Although no direct attribution was provided, Unit 42 says that the tool seems “commercial grade” and is likely used by private-sector offensive actors who provide services to government entities.
Samsung users must act now to protect their devices
Samsung issued firmware updates in April 2025 to address the vulnerability, and users are urged to apply all available patches immediately. Victims who did not apply updates may remain at risk of remote takeover without any visible signs of compromise. Unit 42 identified at least six command-and-control servers actively used by the attackers, indicating an ongoing operation.
Security experts recommend that Galaxy owners take several key steps: ensure that their device software is fully updated, avoid opening image attachments from unknown or unsolicited sources, and enable strong device-level protections such as biometric authentication or PIN codes. It is also advisable to use apps from trusted stores only and to enable features like Samsung Knox or Android’s built-in threat detection if available. Because the spyware can access deep system permissions, methods beyond standard anti-malware tools may be required.
This incident demonstrates how message-based infection vectors such as DNG files can deliver powerful threats to mobile users. It also underscores the risks when a widely used device enters the crosshairs of advanced espionage tools. For affected users, the focus must now be on detection, containment, and remediation.