Key Takeaways
- A spyware campaign exploited a Samsung software flaw via weaponized DNG images sent through WhatsApp.
- The “Landfall” spyware could infect devices without user interaction (zero-click attack).
- Affected models include Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4.
- Samsung patched the vulnerability in April 2025 after months of exposure.
A sophisticated spyware campaign has been targeting Samsung Galaxy smartphones through a critical vulnerability in the device’s image-processing software. The attack, which required no user interaction beyond receiving a message, allowed hackers to install commercial-grade spyware simply by sending a weaponized image file.
What is the Landfall Spyware?
Security researchers from Palo Alto Networks’ Unit 42 uncovered a spyware operation that remained active for nearly a year. The campaign exploited a flaw in Samsung’s software to infiltrate phones without requiring victims to click any links or install suspicious apps.
The hackers used a commercial spyware called “Landfall,” which they concealed within seemingly harmless photos distributed through popular messaging applications like WhatsApp.
How the Attack Works
The vulnerability, tracked as CVE-2025-21042, existed in Samsung’s image-processing library. Attackers weaponized Digital Negative (DNG) image files, disguising them as ordinary JPEGs, and delivered them through messaging platforms.
This constituted a “zero-click” attack where simply receiving the image could silently compromise the device. Users wouldn’t need to download, open, or interact with the file for the infection to occur.
Spyware Capabilities and Targets
Once installed, Landfall functioned as a comprehensive surveillance tool capable of:
- Monitoring all phone calls and recording conversations
- Accessing photos, messages, and contact lists
- Tracking the user’s location in real-time
- Scouring through personal data and communications
The primary targets included users of Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models across several Middle Eastern countries, particularly Turkey, Iran, Iraq, and Morocco.
Timeline of the Vulnerability
Researchers first detected the spyware campaign in mid-2024, though it had been operating undetected for months prior. Samsung was notified about the security issue in September 2024 but didn’t release a patch until April 2025.
This nearly seven-month gap left numerous devices vulnerable to silent surveillance despite the company’s awareness of the threat.
Protection and Recommendations
Samsung users who have installed the April 2025 security update are now protected against this specific vulnerability. However, the Landfall incident serves as a stark reminder about the evolving nature of mobile threats.
Security experts recommend:
- Avoid downloading media files from unknown contacts on messaging apps
- Regularly install the latest security patch updates
- Be cautious of any unsolicited images, even from known contacts
- Enable automatic security updates when available
