This Spyware Targeted Samsung Phones Using Malicious Images
A cybersecurity vendor revealed new details about a spyware campaign that exploited a flaw in Samsung’s software for months, targeting a limited group of users through malicious image files.
Discovery and Vulnerability
The attack was linked to a vulnerability known as CVE-2025-21042, found in Samsung’s image processing library. The flaw allowed attackers to embed spyware within image files, which could then infect devices when received via messaging apps like WhatsApp.
Spyware “Landfall”
“Landfall was embedded in malicious image files (DNG file format) that appear to have been sent via WhatsApp,”
reported Palo Alto Networks’ Unit 42 cybersecurity division. According to their findings, the spyware had been active since mid-2024, secretly monitoring Samsung Galaxy devices in multiple series, including the S22, S23, S24, Z Fold4, and Galaxy Z Flip 4.
Geographic Targets and Capabilities
The campaign primarily targeted users located in the Middle East, such as Iraq, Iran, Turkey, and Morocco. Once installed, Landfall could record audio, extract photos, contact lists, and call logs, among other personal data.
Zero-Click Exploit and Detection
Unit 42 discovered that Landfall was capable of infecting devices without user interaction, using what experts term a “zero-click” exploit. The traces of the spyware were found during an analysis of Google’s VirusTotal, a service for uploading and scanning suspicious files.
Patch and Response
Samsung resolved the vulnerability with a security patch released in April 2025. The investigation by cybersecurity firms continues to assess the full scope of the compromise and the entities behind the operation.
Author’s summary: The Landfall spyware exploited a Samsung flaw to quietly infiltrate devices across the Middle East through malicious image files, prompting urgent cybersecurity countermeasures.