/pcq/media/agency_attachments/2025/02/06/2025-02-06t100846387z-pcquest-new-logo-png.png){kind=logo}
/pcq/media/member_avatars/2024-08-28t070132803z-img_7046.jpg )
Follow Us/pcq/media/media_files/2025/11/10/hackers-used-whatsapp-images-to-spy-on-samsung-galaxy-phones-2025-11-10-11-36-28.jpg)
It's come to light that a stealthy cyber espionage campaign managed to hack Samsung Galaxy phones by using dodgy picture files that were infected with malware. The spyware in question is called Landfall, and it exploited a weakness in an image processing library used by Samsung to slip past security with ease, even when the images were opened via WhatsApp. The researchers say this all went down and was operating for months before the first infected pics were spotted and a fix was rolled out.
The following section pulls together all the confirmed facts from the report & is based on the info provided by the team of researchers & the funding agencies. Every technical nitty-gritty & timeline below comes straight from the reporting, and we've made sure to give credit where credit is due.
WhatsApp Spyware Exploit
What the researchers found was pretty clever: the bad guys would pack malicious code into Visual Negative (DNG) picture files, disguising them as a standard JPEG, and send them off on WhatsApp as a message. Then, when the image was opened on a Samsung device, it would trigger a vulnerability in the image processing code that's logged as CVE-2025-21042, all without the user ever lifting a finger; hence, it's a zero-click exploit.
When the exploit ran, it deployed an implant called Landfall that gave the operator wide access to the device. The spyware included the ability to turn on and record from the camera and the microphone, record phone calls, exfiltrate photographs and messages, harvest contact and call log information, and track the device’s location in real-time. Investigators stated that the majority of infections were seen in certain Galaxy models in certain countries, suggesting that this was targeted surveillance and not indiscriminate use of exploits to compromise phones at scale.
Infection Chain
The attack chain seen by researchers had a clear, straightforward pattern to it:
A custom-made DNG image was sent via WhatsApp to a target.
The recipient device just automatically started processing the image; it's all part of Samsung's image library, and that's when the trouble started.
Processing that DNG file somehow triggered a vulnerability known as CVE-2025-21042. Once that happened, the embedded payload just started running.
The payload then deployed something called Landfall. This basically allowed it to set up secret communications with servers and start siphoning off data.
It all worked because the exploit was able to catch people off guard by using automatic image handling. You didn't even have to click on the image or interact with it to get infected. That's the beauty of a zero-click attack. It's the exact reason this campaign was so stealthy and the other reason it was so scary.
Timeline and Scope
According to the report, here's what went down:
The whole shebang started around the middle of 2024.
Samsung got told about the vulnerability in September of the same year.
They got out a patch for CVE-2025-21042 in April 2025.
So devices were exposed to the risk for about six months in total.
The samples they looked at all showed the same sort of malicious code, which suggested that it wasn't some opportunistic thing. Rather, it looked like a coordinated effort. The devices that got hit included the Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4. The bulk of the victims seem to have been in Turkey, Iran, Iraq, and Morocco.
Researchers managed to track down a bunch of infected DNG samples just by searching through a public malware repository. What they found only reinforced their idea that this was a deliberate, calculated effort and not just some opportunistic thing.
Who Was Behind It?
The code and infrastructure behind Landfall looked suspiciously like other tools used by people who do surveillance work. It even had a few familiar features from some known pro-espionage toolsets. But researchers couldn't pinpoint who was behind the attack, as the evidence just wasn't clear-cut.
As one researcher put it, "It was like a precision-guided missile, not a shotgun blast." The way it was all targeted towards specific countries and regions, and the fact it didn't seem to be after financial gain, all pointed to it being some kind of intelligence-gathering operation.
Not long after, a country that was affected started blacklisting some of the servers involved, which incidentally just confirmed that they knew it was on their radar.
Samsung's Response
Samsung has said some words on the situation, confirming that devices that have gotten the latest software upgrades are safe from this exploited vulnerability. April 2025's update has got the fix for CVE-2025-21042 all patched up.
Recommended Actions:
Get the April 2025 firmware update or a later one if it comes along.
Make sure your phone is set to auto-update so you keep on top of future patches.
Don't open files from dodgy sources even if you think they are okay.
Have a good look at what permissions are set for the camera, microphone, and storage on your apps.
Give your phone a reboot every now and then to keep things running smoothly.
Back up your stuff so you can restore it from a clean copy if you need to.
Privacy and Security Risks
The recent campaign really shows that spyware has moved on from just tricking you into installing it through loads of emails and spam. These attackers are now using common file formats and making use of the background tasks that run on your phone so you don't need to lift a finger.
This really targeted campaign in the report is making loads of people worry that companies are using these kinds of attacks to snoop on people. The months of delay between when people found the flaw and the patch being released is really highlighting just how much time people and computers are exposed to risk even after a problem is discovered.
What We Know So Far
The report does a good job of laying out the full details of the exploit and the phones that got hit, the CVE number, and the timeline of the whole thing. They also go into some detail on how the guys who found this exploited it and how some law enforcement agencies helped shut down some of the infrastructure that was getting in the way.
One thing we still don't know is who is behind all of this. The team that went and found the exploit said that they did find some similarities with other groups, but there just wasn't enough evidence to point the finger at anyone yet.
Advice for Users on Security
For organizations and individuals in high-risk settings, the report makes the following recommendations:
• Confirm that all devices are running the patched firmware.
• Employ mobile threat detection tools, as well as monitor outbound network traffic.
• Keep sensitive work on a separate device from personal device(s).
• If there is any concern that a phone may have been compromised, conduct forensic analysis of that phone.
Final Thought
The Landfall campaign is a known example of a zero-click, image-based exploit that affected Samsung Galaxy phones. The technical information, CVE, affected devices, and timelines come directly from the initial report and are all correct at the time of this publication.
More For You
Google Warns of PromptFlux a New AI Threat Built on ChatGPT APIs
The Herodotus Trojan: How a new Android threat is outsmarting users and defenses
ChatGPT Atlas Browser Exploit: A New Pipeline for AI Data Theft
Microsoft Teams Token Replay Attack: What Happened and Fixes