Key Takeaways
- Samsung Galaxy phones were targeted by spyware through WhatsApp images for nearly a year
- Attack exploited CVE-2025-21042 vulnerability in Samsung’s image processing
- Landfall spyware could access calls, messages, photos, contacts and location data
- Targeted devices included S22, S23, S24, Z Fold 4 and Z Flip 4 models
A sophisticated spyware campaign targeted Samsung Galaxy phones through seemingly innocent WhatsApp images, operating undetected for almost a year. The attack exploited a critical vulnerability in Samsung’s software that allowed hackers to compromise devices without any user interaction.
The Zero-Click Threat
Security researchers from Palo Alto Networks’ Unit 42 uncovered the operation, which used commercial-grade spyware called Landfall. What made this campaign particularly dangerous was its simplicity – no fake links to click, no suspicious apps to install, just regular-looking images that could completely compromise a device.
The attack relied on a zero-day vulnerability that gave hackers immediate access the moment an image reached the phone. This turned the routine act of receiving photos into a potential surveillance operation.
How the Attack Worked
The vulnerability, tracked as CVE-2025-21042, was hidden in Samsung’s image-processing library. Attackers weaponized Digital Negative (DNG) image files, disguising them as ordinary JPEGs, and delivered them through messaging apps like WhatsApp.
Once inside, Landfall functioned as a comprehensive surveillance tool. It could:
- Monitor phone calls and record conversations
- Access photos, messages and contact lists
- Track the user’s real-time location
- Scrape sensitive personal data
Targeted Victims and Timeline
The primary targets were Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 users across Middle Eastern countries including Turkey, Iran, Iraq, and Morocco.
Researchers detected the spyware in mid-2024, but it operated undetected for months. Samsung was informed about the vulnerability in September 2024 but only released a patch in April 2025, leaving devices exposed for approximately seven months.
Espionage Connections
Unit 42 discovered the campaign while analyzing Google’s VirusTotal database, where they found multiple infected DNG files uploaded from the Middle East between 2024 and early 2025.
The digital signatures of Landfall showed similarities to work by Stealth Falcon, a surveillance group previously linked to attacks on journalists and dissidents in the UAE. However, researchers cautioned against definitive attribution due to insufficient evidence.
“It was a precision attack, not a mass campaign,” said Itay Cohen, senior principal researcher at Unit 42. “That strongly suggests espionage motives rather than financial gain.”
Turkey’s national cyber agency confirmed the threat by flagging one of the spyware’s command-and-control servers as malicious, indicating Turkish users were likely among the victims.
Protection and Lessons
Samsung users who have installed recent security updates are now protected against this specific threat. However, the Landfall incident serves as a stark reminder that modern spyware can infiltrate devices without any user action, highlighting the critical importance of and .
