Zero-click spyware attack: WhatsApp images secretly hacked Samsung Galaxy phones for months

Samsung Galaxy owners may want to be cautious before opening a photo on WhatsApp. A newly revealed cyber espionage campaign has been quietly targeting Galaxy smartphones for almost a year, exploiting a vulnerability in Samsung’s software to infect devices without any user interaction. The operation, discovered by Palo Alto Networks’ Unit 42, embedded a commercial-grade spyware known as Landfall within seemingly ordinary photos that were shared via messaging apps.
What makes this attack particularly alarming is its effortless execution. Victims didn’t need to tap a malicious link or download a suspicious app—the infection was triggered the moment the compromised image was received. Security researchers say the attackers leveraged a zero-day flaw that granted them access instantly, effectively transforming a simple photo message into a gateway for surveillance.
DNG images used to deploy the spyware
The vulnerability, identified as CVE-2025-21042, was found in Samsung’s image-processing library. Unit 42’s report revealed that hackers weaponised Digital Negative (DNG) files by disguising them as regular JPEG images and delivering them through apps like WhatsApp. Once a tainted image arrived on the device, the spyware executed silently.
Landfall functioned as a comprehensive spying tool. It could monitor calls, extract messages and photos, access contact lists, record audio, and even track users’ movements. The operation primarily targeted owners of Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models, with victims located mainly in parts of the Middle East, including Turkey, Iran, Iraq, and Morocco.
Researchers first detected signs of Landfall activity in July 2024. Despite notifying Samsung of the vulnerability privately in September 2024, a fix wasn’t released until April 2025, leaving users vulnerable for several months. Although the issue has since been patched, the incident underlines that even premium smartphones are not immune to stealthy, high-level surveillance campaigns.
According to Unit 42, this was not a large-scale malware outbreak but a carefully targeted operation aimed at specific individuals, possibly for intelligence or surveillance purposes.
The researchers also noted links between the attackers’ infrastructure and Stealth Falcon—a known cyber-espionage group previously associated with operations against journalists and activists. However, the available evidence was insufficient to conclusively tie this campaign to any government entity.