What is Landfall spyware and how it hacked Samsung Galaxy phones: Explained

Security researchers have detailed a new Android spyware family called Landfall that was used against Samsung Galaxy devices in a months-long campaign. The operation relied on a previously unknown flaw in Samsung’s image processing library. Attackers could plant the spyware by sending a single crafted image to a phone. Samsung fixed the bug in April 2025.

Unit 42, the research arm of Palo Alto Networks, says the exploit chain abused CVE-2025-21042 in the component libimagecodec.quram.so. Specially formed DNG image files triggered the flaw when the phone parsed them, giving the attacker control without any tap from the user. In practice this was a zero click delivery.

Once installed, Landfall behaved like commercial grade surveillance software. It could capture microphone audio, collect photos, contacts and call logs, and track precise location. The campaign appears to have focused on specific targets rather than the general public, with signs of activity in parts of the Middle East from mid 2024 into early 2025. Researchers have not named a developer or a buyer behind the tool.

Code artefacts pointed to recent Galaxy lines as potential targets, including the Galaxy S22, S23, S24 and some Z series foldables. Devices running Android 13, 14 or 15 on older Samsung firmware were at risk before the April security update. Samsung addressed CVE-2025-21042 in its April 2025 Security Maintenance Release and later advisories highlight that image parsing remains a common attack path.

There is a wider context beyond Android. Apple patched a similar class of image parsing flaw in August and later introduced Memory Integrity Enforcement on its latest iPhone chips and software to raise the bar against Pegasus-like attacks. There is no confirmation that Landfall itself reached iOS, but the timing on both platforms points to image parsers as a favoured entry point for advanced actors.

What Galaxy users should do?

• Update your Galaxy phone to the latest firmware. The April 2025 security update or newer contains the fix for CVE-2025-21042. Check under Settings, Software update, Download and install.
• Be careful with unexpected images or files, even from known contacts. Consider turning off automatic media downloads in messaging apps if you do not need them.
• Keep apps current and leave built in protections enabled. Avoid installing apps from outside trusted stores.

Why does this matter?

Landfall shows how a normal looking image can be enough to compromise a device when a deep system component is vulnerable. The fix is available and the window for this specific bug is closed, but the pattern is clear. Attackers are leaning on image and media parsers to get in, and both major phone platforms are moving to harden that path. Staying patched remains the most effective defence.