Security researchers have uncovered a high-level espionage campaign exploiting a vulnerability in certain Samsung Galaxy smartphones through corrupted image files. The campaign, named “Landfall,” used manipulated images that executed malware without requiring any user interaction. According to the findings, the malicious files targeted Samsung devices by embedding exploit code into digital image formats. That triggered unauthorized access when the phone processed the image. The attack leveraged a flaw in Samsung image-processing component, specifically within DNG image handling. Attackers wrapped a ZIP archive inside a malformed image file. That ran a shared library payload when the device automatically parsed that image. Once the payload executed, it altered system-level configurations and granted itself elevated privileges. This approach allowed the spyware to bypass typical safeguards like user approval or app installation prompts.
Researchers at Palo Alto Networks Unit 42 pinpointed this campaign as active during 2024 and early 2025. The exploit was identified under CVE-2025-21042 and affected a range of Galaxy models from the S22 through S24 series and foldables including the Z Flip 4 and Z Fold 4. The observed targets concentrated primarily in regions such as Iraq, Iran, Turkey and Morocco. Indicating a selective and targeted espionage effort rather than broad malware distribution.
Once inside a device, Landfall could access extensive data: contacts, files, browsing history and more. The capability extended to activating the camera and microphone remotely. In other words, even with no visible sign of intrusion, the attacker could monitor the device owner activities. The sheer depth of access and invisibility of the attack make this one of the most advanced zero-click, fileless threat campaigns seen on Android to date.
Samsung issued a fix for the vulnerability in its April 2025 security update covering Android versions 13 through 15. However the report stresses that even applying the patch may not fully remove the threat if the malware already altered system integrity. That means users should double-check their device security. Review installed applications and consider a full device reset if they suspect compromise.
Even a seemingly innocuous image file can carry potent malware. Undermining the assumption that attacks must involve clicking a link or installing an app. Security teams and users alike must broaden their threat monitoring practices to include file formats like images and other automated processing paths. For Samsung users the immediate priority is to ensure all updates are installed. Beyond that, maintaining strong security hygiene with careful scrutiny of unexpected files and media is critical. In the evolving landscape of mobile threats, Landfall demonstrates that hardware vendors and OS developers must continuously harden even deeply-embedded components such as media decoders. For device owners the takeaway remains clear: apply patches, audit your device, and treat all files even simple image attachments with caution.
