Samsung Galaxy users may want to think twice before opening that innocent looking image on WhatsApp. A newly exposed spyware campaign that has been quietly running for almost a year took advantage of a flaw in Samsung’s software to infiltrate victims’ phones. The operation, uncovered by Palo Alto Networks’ Unit 42, involved a commercial-grade spyware called Landfall hidden inside harmless photos and spread through messaging apps.

What makes this campaign particularly exciting is its simplicity. There were no fake links to click, no suspicious apps to install, just a regular looking picture that could compromise the entire device. Security researchers say the attack relies on a zero-day bug that lets hackers gain access to images as soon as they arrive on the phone, turning the everyday task of obtaining photos into a potential espionage operation.

Hackers used DNG image file

The cause was a vulnerability tracked as CVE-2025-21042 hidden in Samsung’s image-processing library. According to Unit 42, the attackers weaponized digital negative (DNG) image files, disguised them as normal JPEGs, and sent them through messaging apps like WhatsApp. Once obtained, these images can silently attack the phone, a textbook “zero-click” attack.

Once inside, Landfall acted as a full-fledged spy. It can spy on calls, scan photos and messages, scrape contacts, record conversations and even track the user’s location. The targets, mostly Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 users, were spread across parts of the Middle East, including Turkey, Iran, Iraq, and Morocco.

The researchers said the spyware was first detected in mid-2024 and remained undetected for several months. Samsung was reportedly informed about the issue in September 2024, but released the patch only in April 2025, leaving the devices exposed for almost half a year. Although the flaw has now been fixed, the episode highlights how even top-tier phones are not immune to silent surveillance.

Connection to previous espionage operations

Unit 42 found the campaign while investigating Google’s VirusTotal, a public malware database where suspicious files are uploaded. There, they found several infected DNG files uploaded from the Middle East between 2024 and early 2025.

Interestingly, the digital fingerprints of the landfall resemble the work of a known surveillance group called Stealth Falcon – a team previously linked to spyware attacks on journalists and dissidents in the UAE. However, researchers stopped short of assigning blame, saying there was not enough evidence to confirm who created or deployed the malware.

Itay Cohen, senior principal researcher for Unit 42, said, “This was a precision attack, not a mass campaign. This strongly suggests espionage motives rather than financial gain.”

Turkey’s national cyber agency flagged one of the spyware’s command-and-control servers as malicious, indicating that Turkish users may have been among the victims.

For now, Samsung users who have kept their phones updated are safe. But the Landfall episode is another reminder that spyware is evolving rapidly, and sometimes, you don’t even need to tap “Download” before it’s on the move.