Samsung Galaxy users are being warned about a spyware campaign that has been active for almost a year, exploiting a vulnerability in Samsung’s software to infiltrate devices without any user interaction. The spyware, named Landfall, was concealed within innocent-looking images and distributed through messaging apps like WhatsApp.
What sets this campaign apart is its simplicity – victims did not need to click on fake links or download suspicious apps; all it took was opening a seemingly harmless image for the device to be compromised. Security experts revealed that the attack leveraged a zero-day bug in Samsung’s image-processing library, allowing hackers to gain access as soon as the image was received, making the act of receiving photos a potential spying operation.
The exploit, identified as CVE-2025-21042, involved the weaponization of Digital Negative (DNG) image files disguised as regular JPEGs, which were sent through messaging platforms. Once the malicious images were received, the devices could be compromised silently, constituting a classic “zero-click” attack.
Once installed, Landfall functioned as a comprehensive spy tool, capable of eavesdropping on calls, accessing photos and messages, reviewing contacts, recording conversations, and monitoring the user’s location. The targets primarily included users of Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 devices in regions of the Middle East such as Turkey, Iran, Iraq, and Morocco.
According to reports, the spyware was initially detected in mid-2024 and operated undetected for several months. Although Samsung was alerted to the issue in September 2024, a patch was only issued in April 2025, leaving devices vulnerable for nearly six months. While the security flaw has been addressed, this incident underscores that even high-end smartphones are susceptible to covert surveillance.
The discovery of this campaign was accidental, as security researchers at Unit 42 came across suspicious DNG files uploaded from the Middle East on Google’s VirusTotal malware database. These files exhibited similarities to the tactics of a known surveillance group called Stealth Falcon, previously associated with spying on journalists and dissidents in the UAE. However, definitive attribution of the malware creator or distributor could not be made due to insufficient evidence.
Describing the attack as precise and targeted, Itay Cohen, senior principal researcher at Unit 42, suggested espionage motives rather than financial gain. Turkey’s national cyber agency identified one of the spyware’s command-and-control servers as malicious, indicating potential Turkish victims.
For now, Samsung users who have updated their devices are secure. Nevertheless, the Landfall incident serves as a stark reminder that spyware is advancing rapidly and can infiltrate devices without the need for user interaction.