LANDFALL Spyware Targeted Samsung Galaxy Phones via Malicious Images

Unit 42 discovered LANDFALL, commercial-grade Android spyware, which used a hidden image vulnerability (CVE-2025-21042) to remotely spy on Samsung Galaxy users via WhatsApp. Update your phone now.

Security researchers from Palo Alto Networks’ Unit 42 have discovered a dangerous new commercial-grade spyware called LANDFALL that secretly targeted Samsung Galaxy smartphones for months.

This sophisticated campaign relied on a hidden flaw to turn everyday image files sent over apps like WhatsApp into a tool for comprehensive surveillance. As detailed in Unit 42’s technical blog post, the foundation of this attack was a previously unknown zero-day vulnerability in a special Samsung software library (libimagecodec.quram.so) that handles image processing.

This vulnerability, tracked as CVE-2025-21042, allowed attackers to sneak the LANDFALL spyware onto a device without the user doing anything, not even clicking on a link. This is called a zero-click exploit, which is among the most dangerous attacks as it ...