jasdooit

A recently identified spyware operation, named LANDFALL, has been focusing on Samsung Galaxy users in Morocco and other regions, leveraging a zero-day flaw in WhatsApp’s image-sharing capability to gain access to devices without any user involvement. Discovered by Palo Alto Networks’ Unit 42, this sophisticated malware has been operational since mid-2024, enabling attackers to carry out comprehensive monitoring until Samsung released a fix in 2025.

Security experts have discovered a complex cyber-spying operation that has been targeting Samsung phone users in multiple countries, such as Morocco, using a newly found spyware called LANDFALL. This malicious software was created to access Samsung Galaxy devices automatically, taking advantage of WhatsApp’s image-sharing function.

Images Containing Spyware, No Clicks Needed

A report released two days ago by Unit 42, the threat intelligence division of Palo Alto Networks, revealed that hackers took advantage of a critical zero-day flaw in Samsung’s image-processing library, identified as CVE-2025-21042. This vulnerability enabled them to insert spyware into DNG image files and transmit them through WhatsApp, with the infection happening automatically without users needing to open or click on the image.

After installation, LANDFALL provided comprehensive monitoring capabilities, such as capturing audio via the microphone, monitoring GPS location, and retrieving photos, contacts, and call records. Experts highlighted the spyware’s sophisticated architecture, designed for secrecy, long-term presence, and extensive data gathering on contemporary Samsung devices.

Used for Months Before Samsung Released a Fix

Research indicates that the campaign was ongoing since mid-2024, several months prior to Samsung addressing the vulnerability in April 2025. Malicious files were also submitted to VirusTotal from nations including Iraq, Iran, Turkey, and Morocco, suggesting that users in these areas were among the main targets.

Unit 42 associated the campaign’s structure with recognized private-sector offensive entities (PSOAs) active in the Middle East, highlighting its similarity to an iPhone attack in August 2025 that utilized a highly comparable WhatsApp image vulnerability.

Samsung has addressed the threat by resolving both CVE-2025-21042 and a related issue, CVE-2025-21043, in a September 2025 update. However, experts noted that LANDFALL is «one of the most complex and hard-to-detect surveillance tools discovered prior to its public announcement».