New Spyware Campaign Targets Samsung Users
A recently discovered spyware campaign, named LANDFALL, has been targeting users of Samsung Galaxy devices in Morocco and other regions. This sophisticated malware exploits a zero-day vulnerability within WhatsApp’s image-sharing feature to infiltrate devices without requiring any user interaction. The campaign was uncovered by the cybersecurity research team at Palo Alto Networks’ Unit 42. According to their findings, this advanced malware has been active since mid-2024, allowing attackers to conduct extensive surveillance before Samsung released a patch in 2025.
Exploiting WhatsApp’s Image Feature
Cybersecurity researchers have identified a complex digital espionage campaign that specifically targets Samsung phone users in various countries, including Morocco. The malware, known as LANDFALL, is designed to infiltrate Samsung Galaxy devices without any user action. It leverages WhatsApp’s image-sharing functionality to deliver the malicious payload.
Images Carrying Spyware, No Clicks Required
According to a report published two days ago by Unit 42, the threat intelligence team at Palo Alto Networks, attackers exploited a critical zero-day vulnerability in Samsung’s image-processing library, tracked as CVE-2025-21042. This flaw allowed them to embed spyware inside DNG image files and send them via WhatsApp. The infection process occurred automatically, without victims needing to open or click on the image.
Once installed, LANDFALL enabled extensive surveillance capabilities, including recording audio through the device’s microphone, tracking GPS location, and accessing photos, contacts, and call logs. Researchers highlighted the spyware’s advanced design, which was built for stealth, persistence, and large-scale data collection across modern Samsung devices.
Exploited for Months Before Samsung’s Patch
Evidence suggests that the campaign had been active since mid-2024, several months before Samsung addressed the vulnerability in April 2025. Malicious samples were also uploaded to VirusTotal from countries such as Iraq, Iran, Turkey, and Morocco, indicating that users in these regions were among the primary targets.
Unit 42 linked the campaign’s infrastructure to known private-sector offensive actors (PSOAs) operating in the Middle East. They noted that the attack bore similarities to an August 2025 iPhone attack that used a nearly identical WhatsApp image exploit.
Samsung Addresses the Threat
Samsung has since neutralized the threat by fixing both CVE-2025-21042 and a related bug, CVE-2025-21043, in a September 2025 update. Despite the patch, researchers described LANDFALL as “one of the most sophisticated and elusive espionage tools uncovered before public disclosure.”
Key Details About the Attack
- Vulnerability Exploited:CVE-2025-21042, a zero-day in Samsung’s image-processing library.
- Method of Infection:Embedding spyware in DNG image files sent via WhatsApp.
- Impact:Audio recording, GPS tracking, access to photos, contacts, and call logs.
- Duration of Campaign:Active since mid-2024, until the patch in April 2025.
- Targeted Countries:Morocco, Iraq, Iran, Turkey, and others.
- Attribution:Linked to private-sector offensive actors in the Middle East.
- Patch Release:Samsung fixed the issue in a September 2025 update.
Ongoing Cybersecurity Concerns
The discovery of LANDFALL highlights the growing threat of sophisticated cyberattacks that exploit vulnerabilities in widely used applications like WhatsApp. As more users rely on messaging platforms for communication, the risk of such attacks continues to rise. Organizations and individuals must remain vigilant and ensure that their devices are updated with the latest security patches to mitigate potential threats.
Conclusion
The LANDFALL campaign serves as a stark reminder of the evolving nature of cyber threats. With attackers constantly seeking new ways to exploit software vulnerabilities, it is crucial for both users and manufacturers to stay proactive in identifying and addressing security risks. The collaboration between cybersecurity firms and technology companies plays a vital role in protecting users from increasingly sophisticated malware.
