Spyware Attack via WhatsApp Images Targets Samsung Galaxy Phones: Landfall Exploit Exposes Serious Security Flaw

Samsung Galaxy smartphone users have been urged to stay cautious after cybersecurity researchers uncovered a stealthy spyware campaign that used WhatsApp images to compromise devices without any user interaction. The malicious operation, identified by Palo Alto Networks’ Unit 42, involved a spyware strain called Landfall, which exploited a vulnerability in Samsung’s image-processing system to infiltrate phones quietly.

The attack, which reportedly ran undetected for almost a year, targeted Galaxy users in parts of the Middle East—including Turkey, Iran, Iraq, and Morocco—by sending seemingly harmless photos embedded with malware. What makes this incident particularly alarming is that victims didn’t need to open or tap anything; simply receiving the image was enough to let the hackers in.

According to Unit 42, the attackers weaponized Digital Negative (DNG) image files, disguising them as everyday JPEGs. The vulnerability, listed as CVE-2025-21042, was found deep within Samsung’s proprietary image-handling library. Once a phone received one of these infected images, the malware gained access immediately—executing a zero-click attack that gave hackers complete control over the device.

Once installed, Landfall operated as a full-scale surveillance tool. It could record calls, steal photos and messages, access contacts, eavesdrop through the microphone, and even trace the user’s location in real time. Investigators noted that the primary targets were users of Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models.

The spyware was first detected in mid-2024 and continued to operate unnoticed for months. Although Samsung was notified about the flaw in September 2024, the company reportedly rolled out a security patch only in April 2025, leaving millions of devices exposed for nearly half a year. The issue has since been resolved, but experts warn that the incident underscores how even the most premium smartphones can fall victim to silent espionage.

Unit 42 researchers discovered the malicious images while analysing submissions on Google’s VirusTotal, a public database where users upload suspicious files for inspection. Multiple compromised DNG files uploaded from Middle Eastern IPs led researchers to the hidden spyware.

Interestingly, the digital signatures and tactics used in Landfall resembled those associated with Stealth Falcon, a well-known surveillance group previously linked to cyberattacks on journalists and activists in the UAE. However, the researchers emphasized that there is not yet enough evidence to confirm who created or deployed the malware.

“It was a precision attack, not a mass campaign,” said Itay Cohen, Senior Principal Researcher at Unit 42. “That strongly suggests espionage motives rather than financial gain.”

Turkey’s national cyber agency later confirmed that one of the spyware’s command-and-control servers was flagged as malicious, reinforcing suspicions that Turkish citizens may have been among the targets.

For now, experts urge Samsung users to ensure their phones are running the latest security updates. The Landfall episode is a stark reminder that in today’s cyber landscape, even receiving an innocent-looking picture could open the door to digital surveillance.