Spyware Alert: A powerful spyware campaign called Landfall has been caught targeting Samsung Galaxy smartphones through WhatsApp images — without users needing to tap or download anything. The operation, discovered by cybersecurity researchers at Palo Alto Networks’ Unit 42, exploited a zero-day vulnerability in Samsung’s image-processing software, allowing hackers to spy on victims silently for months.
Zero-Click Spyware Attack via WhatsApp Images
The attack centered around a vulnerability identified as CVE-2025-21042, hidden deep within Samsung’s image-handling library. Hackers used Digital Negative (DNG) image files disguised as regular JPEGs and spread them through popular messaging apps such as WhatsApp. Once the image was received on a vulnerable phone, the malicious code automatically executed — no clicks, no installs, just instant compromise.
This type of zero-click attack is among the most dangerous forms of cyber intrusion because it leaves users virtually powerless. Landfall gave attackers complete control of infected devices, allowing them to record calls, access photos and messages, steal contacts, monitor location, and even turn on microphones for real-time spying.
Who Was Targeted
Researchers found that the campaign primarily hit Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 users across Turkey, Iran, Iraq, and Morocco. Evidence suggests the spyware operated from mid-2024 and remained undetected until early 2025.
Samsung was notified of the flaw in September 2024 but did not release a security patch until April 2025, leaving many phones exposed for nearly six months. The company has since patched the vulnerability, and users who regularly update their devices are now protected.
Links to Known Spy Networks
Unit 42 analysts discovered the infected image files while investigating uploads on Google’s VirusTotal, a public malware database. Digital fingerprints linked Landfall to the Stealth Falcon group — a cyber-espionage unit previously tied to surveillance operations against journalists and activists in the UAE. However, researchers could not definitively confirm the group’s involvement.
According to Itay Cohen, Senior Principal Researcher at Unit 42, “This was a precision operation, not a mass campaign. The focus and sophistication point to espionage rather than financial motives.”
Turkey’s national cybersecurity agency also flagged one of Landfall’s control servers as malicious, suggesting Turkish users may have been among the key targets.
What Samsung Users Should Do Now
Samsung has already issued a security update to fix the flaw. Users are strongly advised to update their Galaxy phones immediately to stay protected from potential exploitation. This incident serves as a reminder that even premium devices are not immune to advanced spyware — and that keeping software up to date is the best defense against zero-day threats.
Key Takeaways:
- Spyware Landfall spread via WhatsApp images in a zero-click attack.
- Exploited Samsung flaw CVE-2025-21042 in image processing.
- Targeted Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 users in the Middle East.
- Operated undetected for nearly a year.
- Samsung patched the issue in April 2025.
- Possible links to the Stealth Falcon espionage group.
An attention-grabbing dialogue is worth comment. I believe that you must write more on this topic, it won’t be a taboo subject however usually persons are not enough to talk on such topics. To the next. Cheers