(Image source from: Canva.com)

Samsung Galaxy owners should reconsider before opening any seemingly innocent images on WhatsApp. A newly revealed spyware operation, which has been running quietly for close to a year, took advantage of a weakness in Samsung’s software to access phones without the owner's awareness. This scheme, discovered by Palo Alto Networks' Unit 42, concealed a sophisticated spyware named Landfall within what appeared to be harmless photos and transmitted it through messaging applications. The frightening aspect of this operation is its straightforwardness. There were no deceptive links to click, no strange apps to install; it was merely a normal-looking image that could put the entire device at risk. Security experts state that the attack utilized a zero-day vulnerability that allowed hackers to gain entry the instant the image arrived on the device, transforming the common action of receiving pictures into a possible spying endeavor.

The issue was a weakness noted as CVE-2025-21042, hidden in Samsung’s image processing library. Unit 42 reported that attackers modified Digital Negative (DNG) image files, passing them off as typical JPEGs, and sent them via messaging platforms like WhatsApp. Once they were received, these images could quietly take over the phone, exemplifying a “zero-click” attack. After infiltration, Landfall functioned as a comprehensive spy tool. It could monitor phone calls, collect photos and messages, examine contact lists, record talks, and even trace the user's whereabouts. The victims, mainly users of Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 devices, were located in various areas of the Middle East, including Turkey, Iran, Iraq, and Morocco. Analysts noted that the spyware was initially identified in mid-2024 and operated unnoticed for several months. Samsung was reportedly notified about the flaw in September 2024, but it did not issue a fix until April 2025, leaving devices vulnerable for nearly six months. Although the flaw has now been resolved, this incident emphasizes that even high-end smartphones are not protected from covert spying.

Unit 42 found the campaign while examining Google’s VirusTotal, a public database for malware where questionable files are shared. There, they encountered numerous infected DNG files uploaded from the Middle East during 2024 and the beginning of 2025. Notably, the digital traces of Landfall were similar to those of a known surveillance group called Stealth Falcon, which has been linked to spyware attacks on journalists and dissenters in the UAE. However, the researchers refrained from pointing fingers, stating that there was insufficient proof to determine who created or deployed the malware. “This was a targeted attack, not a widespread operation,” noted Itay Cohen, a senior principal researcher at Unit 42. “This strongly indicates motives of espionage rather than financial profit.”

Turkey’s national cyber agency even identified one of the spyware's command-and-control servers as harmful, suggesting that Turkish users might have been among the targets. For now, Samsung users who have kept their software up to date are protected. However, the Landfall incident serves as another reminder that spyware is advancing rapidly, and at times, it doesn’t even require you to click “download” for it to invade.