A now-patched security flaw in Samsung Galaxy devices was exploited as a zero-day to deliver Android spyware dubbed ‘Landfall’ in targeted attacks across the Middle East, cybersecurity firm Palo Alto Networks’ Unit 42 said.
The campaign exploited CVE-2025-21042, an out-of-bounds write vulnerability in the libimagecodec.quram.so component that can allow remote code execution. Samsung fixed the issue in April 2025 after Unit 42 found evidence the bug had been used in the wild.
Unit 42, which is tracking the operation as CL-UNK-1054, linked potential victims to submissions from Iraq, Iran, Turkey and Morocco on VirusTotal. The researchers said the attackers delivered the spyware via malicious DNG (Digital Negative) image files (typically sent over WhatsApp) with artifacts dating back to July 23, 2024 and continuing through February 2025.
Landlall acts as a full-featured surveillance tool capable of harvesting microphone recordings, location, photos, contacts, SMS, files and call logs.
Analysis found the DNG files carried a ZIP archive that extracted a shared object library to run the spyware, along with another library that manipulates the device’s SELinux policy to gain elevated permissions and persistence.
Landall targets Samsung Galaxy flagship models, including S22, S23, S24, Z Fold 4 and Z Flip 4, although researchers found no indication the latest generation was targeted. Samsung disclosed in September 2025 that a different bug in the same library (CVE-2025-21043) had been exploited as a zero-day, though Unit 42 said there’s no evidence this flaw was used in the Landfall attacks.
At present, it’s not clear who is behind the spyware. According to Unit 42, the spyware’s command-and-control infrastructure (C&C) and domain registration share similarities with the Stealth Falcon (aka FruityArmor) cluster.
Additionally, the analysis of the debug artifacts revealed that the spyware component refers to itself as “Bridge Head,” which is a common nickname used by some private-sector offensive cyber companies (including NSO, Variston, Cytrox and Quadream) for first-stage loaders. However, it’s not enough evidence for direct attribution, the researchers noted.