Overview
- Researchers say attackers weaponized malformed DNG images, sometimes disguised as JPEGs and delivered via chats such as WhatsApp, to trigger code execution in Samsung’s image processing library (tracked by Unit 42 as CVE-2025-21042).
- Exploitation activity dates to at least July 2024, with Samsung issuing a fix in its April 2025 security update and full technical details publicly released by Unit 42 on November 7, 2025.
- Identified targets include Galaxy S22, S23 and S24 series and some Galaxy Z foldables, while SamMobile reports the current Galaxy S25 does not appear vulnerable.
- The spyware, dubbed Landfall, can exfiltrate photos, contacts and call logs, record audio through the microphone and track precise location, indicating commercial‑grade surveillance capabilities.
- Evidence points to focused operations against individuals in countries including Morocco, Iran, Iraq and Turkey, with attribution unresolved although infrastructure overlaps with a group referred to as Stealth Falcon.