Samsung Galaxy smartphones have faced a serious cybersecurity issue as a result of a zero-day vulnerability being exploited through WhatsApp images by a covert spyware campaign that has been discovered by researchers. The spyware, which has been given the name Landfall, had the ability to quietly access devices and no action from the user was required—just getting an image that was infected was sufficient.

Zero-Click Exploit Through WhatsApp Images

According to cybersecurity firm Palo Alto Networks’ Unit 42, hackers took advantage of a flaw in Samsung’s image-processing system to deploy Landfall spyware across several Galaxy models. The vulnerability—CVE-2025-21042—was hidden deep within Samsung’s proprietary image-handling library.

By weaponizing Digital Negative (DNG) files disguised as normal JPEGs, attackers managed to execute a zero-click attack, gaining full control over the device immediately after the image was delivered. Victims did not need to open or tap on the file.

Affected Devices and Timeline

The spyware primarily targeted Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models, especially in the Middle East, including Turkey, Iran, Iraq, and Morocco. The operation reportedly remained undetected for nearly a year before being discovered in mid-2024.

Although Samsung was informed about the flaw in September 2024, the company released a security patch only in April 2025, leaving millions of users vulnerable for months.

Landfall’s Capabilities and Impact

Once installed, Landfall acted as a powerful surveillance tool capable of:

• Recording phone calls
• Accessing photos, contacts, and messages
• Activating the microphone for eavesdropping
• Tracking users’ real-time location

Investigators said the spyware’s design and techniques resembled those of Stealth Falcon, a group previously linked to state-backed surveillance operations in the UAE, though no direct attribution has yet been confirmed.

“It was a precision attack, not a mass campaign,” said Itay Cohen, Senior Principal Researcher at Unit 42. “That strongly suggests espionage motives rather than financial gain.”

Discovery and Response

The campaign came to light when Unit 42 analysts found several compromised DNG files uploaded to Google’s VirusTotal platform from Middle Eastern IP addresses. Subsequent analysis revealed links to a command-and-control server flagged by Turkey’s national cyber agency, indicating possible targeting of Turkish users.

Samsung has since fixed the vulnerability, but experts warn that the Landfall exploit is a stark reminder of the growing sophistication of mobile cyberattacks. Users are urged to update their devices immediately and remain cautious even with trusted communication apps like WhatsApp.

Cybersecurity experts caution: In today’s threat landscape, even a harmless-looking image could open the door to digital espionage.