A hidden threat exploited a vulnerability in Samsung devices that allowed attackers to spy on users without any interaction. The campaign, identified as “Landfall,” targeted select smartphones by embedding malicious code inside seemingly ordinary image files. Cybersecurity firm Unit 42 at Palo Alto Networks traced the operation to an April 2025 patch that addressed vulnerability CVE-2025-21042, though the exploit had operated quietly for about ten months. Attackers used specially crafted Digital Negative (DNG) files that appeared innocuous but contained ZIP archives with malicious libraries. Once the device processed the image, the exploit triggered automatically via the flawed image-parsing library.
The infiltration method bypassed traditional security warnings: users did not need to click links or install apps. The code executed simply when the image was received, making it a textbook zero-click attack. Region-specific evidence pointed to targets in parts of the Middle East, including Turkey, Iran, Iraq and Morocco. While exact numbers remain unclear, the campaign operated covertly across several countries.
Operators achieved deep access. Once the exploit succeeded, the malware could extract messages, contacts, call logs, location data and even record audio through the microphone. The toolkit reached beyond mere data theft to full surveillance capability. In terms of device range, the attack affected models running Android versions 13 to 15, including multiple Galaxy S and Z series devices.
This incident highlights how image-handling code can become an attack vector when developers assume passive file-load operations pose little threat. The affected library allowed malicious content to execute with system-level privileges, showing how deep vulnerabilities can lie hidden in everyday features. For users the takeaway is clear: installing the latest security updates matters more than ever. Devices with older firmware remained exposed while the exploit remained active.
For enterprises and governments this technique raises alarming prospects. Attackers did not rely on user error or social engineering just the reception of a malicious image. In scenarios where actors target specific individuals or groups, such a capability magnifies risk. Companies managing sensitive mobile fleets should scrutinise device-firmware status and review how mobile-device management systems monitor for unusual behaviour.
In summary this event underscores that device security cannot rely on user caution alone. Attack surfaces extend into file-type parsers and hardware libraries, areas often outside typical threat models. Updating devices promptly, restricting untrusted file types, and maintaining vigilant monitoring must become core parts of mobile-security strategy.
