‘Landfall’ spyware abused Samsung zero‑day (CVE‑2025‑21042) to hack Galaxy phones for months — patched in April: What happened and how to stay safe

Published: November 7, 2025

Security researchers have uncovered a previously unknown, commercial‑grade Android spyware operation—dubbed Landfall—that exploited a zero‑day flaw in Samsung Galaxy phones and ran largely undetected for close to a year, with targets concentrated in parts of the Middle East. Samsung fixed the underlying vulnerability in an April 2025 firmware update, but the campaign and its methods are only now coming to light.

What is “Landfall” and how did the hack work?

According to Palo Alto Networks’ Unit 42—whose research underpins today’s coverage—Landfall delivered spyware via malicious image files that abused CVE‑2025‑21042, an out‑of‑bounds write bug in Samsung’s libimagecodec.quram.so library. The booby‑trapped images (Digital Negative, or DNG format) could be sent over messaging apps; Unit 42 says the exploit chain may have been zero‑click (no tap required), though there’s no evidence of an undisclosed WhatsApp bug in this Android campaign. Once processed by the phone, the payload unpacked additional components and modified SELinux policies to expand its data‑stealing reach.

Landfall’s capabilities include microphone recording, location tracking, and exfiltration of photos, messages, contacts, and call logs—the hallmarks of advanced mobile surveillanceware sold to government customers by private‑sector offensive actors.

Who was targeted—and for how long?

Unit 42’s timeline points to first samples appearing in July 2024, with additional uploads through February 2025, suggesting a months‑long operation prior to Samsung’s patch. VirusTotal submissions and national CERT reporting indicate potential targeting in Iraq, Iran, Turkey, and Morocco. Researchers describe the operation as a precision espionage effort, not mass malware distribution.

Which devices and Android versions were affected?

Landfall’s code referenced a range of Galaxy flagships—including S22, S23, S24 and Z Fold 4 / Z Flip 4—and targeted devices running Android 13–15 for CVE‑2025‑21042 (patched in SMR Apr‑2025 Release 1). A related image‑processing flaw, CVE‑2025‑21043, affecting Android 13–16, was separately patched in September 2025 after in‑the‑wild exploitation by spyware operators; Unit 42 notes technical parallels but no direct evidence that 21043 was used in the Landfall samples they analyzed.

How serious is CVE‑2025‑21042?

NVD lists CVE‑2025‑21042 with a CVSS v3.1 score of 8.8 and vectors consistent with remote code execution when a crafted image is processed. That aligns with Unit 42’s finding that malformed DNG files could trigger the bug and launch the spyware loader. Samsung’s bulletin ties the fix to April 2025 firmware and maps the issue to SVE‑2024‑1969.

Any links to known spyware vendors?

Attribution remains unclear. Researchers observed infrastructure and tradecraft overlaps with Stealth Falcon (also known as FruityArmor)—a surveillance outfit previously linked by researchers to operations targeting journalists and dissidents—but stress the similarities are not enough for firm attribution. This fits a broader pattern of private‑sector offensive actors (PSOAs) running bespoke, government‑focused hacking tools.

Why are DNG image bugs suddenly a big deal?

Landfall is part of a 2024–2025 wave of attacks abusing image‑parsing flaws across mobile platforms. In August 2025, Apple patched CVE‑2025‑43300, and Meta/WhatsApp disclosed CVE‑2025‑55177 as part of a chained iOS exploit targeting fewer than 200 users. In September 2025, Samsung fixed CVE‑2025‑21043 in the same image library affected by Landfall’s 21042 exploit. The common thread: carefully crafted image files processed by system libraries can yield zero‑click compromise.

What Samsung users should do now

• Update immediately. Ensure your Galaxy device shows the latest Security Maintenance Release (SMR)—April 2025 or later for CVE‑2025‑21042, and September 2025 or later for CVE‑2025‑21043. On most devices: Settings → Software update → Download and install.
• Verify your patch level. Confirm your device’s Android security update level and firmware build are current; Samsung’s advisories list the CVEs and SMR months that include fixes.
• Harden messaging settings. While no new WhatsApp flaw is implicated on Android here, consider limiting auto‑download of media from unknown senders and keep apps updated from official stores.
• Enterprise defenders: Review Unit 42’s technical write‑up for IOCs (hashes, network indicators) and detection guidance, and hunt for suspicious image‑processing crashes or anomalous libimagecodec activity around the 2024–early‑2025 window.

Key dates and facts at a glance

• Sept. 25, 2024: Vulnerability privately reported to Samsung (later assigned CVE‑2025‑21042 / SVE‑2024‑1969).
• July 2024 – Feb. 2025: Landfall samples uploaded to VirusTotal; targeting observed across parts of the Middle East/North Africa.
• April 2025: Samsung patches CVE‑2025‑21042 in the SMR Apr‑2025 update.
• Aug.–Sept. 2025: Parallel iOS/WhatsApp exploit chain disclosed; Samsung patches CVE‑2025‑21043 (same library).
• Nov. 7, 2025: Unit 42 publishes research; outlets confirm the campaign’s scope and targets.

The bottom line

Landfall underscores how quietly weaponized media files can turn a phone into a live microphone and tracking device—without a tap. If you use a Samsung Galaxy device, the fix has been out for months, but protection only comes once you install it. For organizations with high‑risk users, treat image‑parsing RCE on mobile as a priority threat category and ensure rapid SMR adoption, mobile EDR coverage, and targeted threat hunting that includes DNG‑based exploit chains.

Sources, November 7, 2025 coverage and primary research: Unit 42 technical report; TechCrunch; The Hacker News; SecurityWeek; The Record; The Register; Samsung advisories / NVD.