Hackers Breach Samsung Galaxy Phones Using A Single WhatsApp Image In Sophisticated Spyware Operation

Security researchers at Palo Alto Networks Unit 42 have uncovered a sophisticated espionage campaign leveraging a zero-day vulnerability in select Samsung Galaxy Android devices. The flaw, tracked as CVE‑2025‑21042 (CVSS 8.8), is an out-of-bounds write defect in the libimagecodec.quram.so image-processing library, which could allow remote code execution. According to Unit 42, the flaw was exploited in the wild prior to the patch being issued by Samsung in April 2025.

The campaign centrepiece is a previously undocumented Android spyware family dubbed LANDFALL. The malicious chain begins with a malformed DNG (Digital Negative) image file, bearing filenames typical of WhatsApp transfers (e.g., “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg” or “IMG-20240723-WA0000.jpg”). The image hides a ZIP payload appended to its end, which extracts shared-object libraries (.so) on the target device. One module manipulates SELinux policy to escalate privileges; another serves as the loader/backdoor.

The malware appears to target flagship Samsung models including the Galaxy S22, S23, S24, Z Fold 4 and Z Flip 4. Based on VirusTotal submission data and threat-intelligence observations, potential targets appear located in the Middle East and North Africa — specifically Iraq, Iran, Turkey and Morocco.

Once installed, LANDFALL enables wide-ranging surveillance capabilities. Researchers observed it can:

• record microphone audio and calls;
• track device location;
• harvest photos, SMS, files, contacts, call logs;
• maintain persistence through modified SELinux policy.

While Unit 42 indicates that a “zero-click” delivery (that is, requiring no user interaction) may have been used, there is not yet concrete evidence of a message app vulnerability being successfully chained. The initial vector remains unconfirmed.

This campaign does not stand alone. Samsung disclosed a separate zero-day in the same image processing library, CVE‑2025‑21043 (also CVSS 8.8) in September 2025, though researchers found no evidence that LANDFALL exploited this variant.

Meanwhile, parallels are seen with Apple’s ecosystem: in August 2025, Meta Platforms/WhatsApp disclosed a flaw (CVE-2025-55177) that was chained with Apple’s own DNG vulnerability (CVE-2025-43300) to deliver spyware to iOS/macOS devices.

Unit 42 tracks the LANDFALL campaign as cluster CL-UNK-1054. They highlight similarities in domain registration and command-and-control patterns to the threat actor known as Stealth Falcon (also called “FruityArmor”), historically active in the Middle East. However, they caution that no definitive attribution has been established.

This campaign underscores a number of troubling trends in mobile security:

• Image-processing libraries (here, DNG/TIFF derivatives) are emerging as key attack surfaces.
• The delivery mechanism via messaging apps and apparently stealthy “image” files lowers the barrier to infiltration.
• The modular architecture of LANDFALL (loader + privilege-escalation + C2) resembles commercial spyware more than commodity malware — suggesting a targeted espionage motive, not mass consumer fraud.

Given that the patched vulnerability dates to April 2025, risk to updated devices is currently mitigated — but the fact that the campaign’s samples trace back to July 2024 means exposure windows were long.

• Ensure devices are fully updated. Samsung patched CVE-2025-21042 in April 2025.
• For organisations, treat mobile devices (especially flagship handsets) as potential targets for espionage — not just standard malware.
• Monitor for anomalous behaviours such as odd network connections to known C2 indicators, suspect image files received over chat apps, unexpected microphone/recording usage.
• Review messaging-app usage policies and scrutinise attachments (including image files) even when coming from trusted parties.

The discovery of the LANDFALL Android spyware campaign exploiting a Samsung zero-day shines a spotlight on the evolving threats to mobile ecosystems. What might once have been dismissed as “just a phone hack” is increasingly in the domain of high-end espionage. The targeting of Galaxy devices via malformed image files, combined with sophisticated privilege-escalation and C2 modules, suggest the kind of operations normally associated with state-level actors or commercial spyware vendors. Although the vulnerability has been patched, the lessons are far from theoretical: as long as new zero-days in mobile-device stacks remain, the surveillance risk remains very real.