Key Takeaways
- Samsung Galaxy devices were targeted by ‘LANDFALL’ spyware via malicious DNG image files
- The spyware exploited zero-day vulnerabilities to access photos, contacts, call logs, and record audio
- Primary targets were users in Middle Eastern countries including Iraq, Iran, Turkey, and Morocco
- Samsung released security patches in April and September 2025 to address the vulnerabilities
Samsung Galaxy users faced a sophisticated spyware campaign that exploited critical vulnerabilities in Android’s image processing system. The ‘LANDFALL’ spyware, discovered by researchers, allowed hackers to infiltrate devices without user interaction through malicious image files.
Zero-Day Vulnerability Exploited
According to Unit 42 research, the LANDFALL spyware leveraged a zero-day flaw identified as CVE-2025-21042 in Samsung’s Android image processing library. The malware was concealed within Digital Negative (DNG) file formats – a type of raw image format based on TIFF.
The campaign remained active from mid-2024 until Samsung addressed the vulnerability through firmware updates in April 2025. A related security flaw, CVE-2025-21043, was subsequently patched in September 2025 to prevent similar attacks.
Spyware Capabilities and Targets
LANDFALL functioned as modular spyware specifically designed for Samsung Galaxy devices. Between July 2024 and February 2025, multiple malicious DNG files containing the spyware were identified online.
The malware provided attackers with extensive surveillance capabilities including:
- Secret audio recording
- Location tracking
- Access to personal photos, contacts, and call logs
Affected device models included Samsung Galaxy S22, S23 Series, S24 Series, Z Fold 4, and Z Flip 4. The campaign primarily targeted users in Middle Eastern nations such as Iraq, Iran, Turkey, and Morocco.
Detection and Response Timeline
Researchers first reported the issue to Samsung in September 2024. The company responded with security patches in April 2025, followed by additional fixes in September 2025 for the related CVE-2025-21043 vulnerability identified by WhatsApp researchers.
Mobile security experts note that sophisticated malware like LANDFALL typically relies on multiple vulnerability chains to fully compromise devices.
