New Delhi – Samsung Galaxy users are being warned to think twice before opening even the most innocent-looking photo on WhatsApp. A sophisticated cyber-espionage campaign that ran silently for almost a year has been uncovered, revealing how ‘Landfall’ — a powerful spyware — exploited a flaw in Samsung’s software to infiltrate devices without any click or download action from the victim.
The spyware was hidden inside Digital Negative (DNG) image files, which were disguised as regular JPEG photos and sent through messaging apps like WhatsApp. As soon as the image reached a device, the malicious code activated automatically — making it a textbook case of a “zero-click attack” where users didn’t have to do anything to be compromised.
How the Attack Worked
According to cybersecurity researchers at Palo Alto Networks’ Unit 42, the attack targeted a vulnerability identified as CVE-2025-21042 within Samsung’s image-processing library. Once the infected DNG image was received, ‘Landfall’ gained access to the phone’s camera, microphone, files, location, and even call logs.
The spyware effectively turned the phone into a full-fledged surveillance device, capable of recording calls, stealing photos and messages, accessing contacts, and tracking user movements in real time.
Most of the victims were users of Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4, primarily located in Turkey, Iran, Iraq, and Morocco — countries across the Middle East.
The Year-Long Silent Operation
Investigators found that the ‘Landfall’ campaign began in mid-2024 and operated undetected for several months.
Although Samsung was notified about the flaw in September 2024, the security patch was released only in April 2025, leaving devices vulnerable for nearly half a year.
Possible Links to Past Espionage Groups
Unit 42 discovered the campaign while scanning Google’s VirusTotal, a database of suspicious files uploaded by users worldwide. Several infected DNG files uploaded from the Middle East were found to contain identical malicious code.
Interestingly, the digital fingerprints of ‘Landfall’ resembled the work of a known cyber-espionage group called Stealth Falcon, previously linked to spyware attacks on journalists and human rights activists in the UAE.
However, researchers have not attributed the campaign to any specific actor, citing insufficient evidence.
“This was a precision strike, not a mass campaign,” said Itay Cohen, Senior Principal Researcher at Unit 42.
“That strongly indicates espionage motives rather than financial gain.”
Turkey’s national cyber agency later flagged one of the spyware’s command-and-control servers as malicious, suggesting that Turkish users may have been among the targets.
What Samsung Users Should Do
Samsung has confirmed that devices running the latest software updates are now protected.
The company has patched the vulnerability, but the episode serves as a critical reminder that even high-end smartphones are not immune to silent surveillance.
The Bigger Picture: The Evolution of Modern Spyware
The Landfall case underscores how spyware has evolved beyond traditional phishing or malicious app installs.
Today, a single image — sent through a trusted app — can be enough to compromise a device entirely.
As one cybersecurity analyst put it:
“You don’t need to click a link anymore to be hacked. The image itself can do the job.”
The incident raises urgent questions about digital privacy, national security, and the growing sophistication of cyber-espionage tools targeting consumers and state entities alike.
