“Landfall” spyware abused zero-day to hack Samsung Galaxy phones

Security researchers have discovered Android spyware targeting Samsung Galaxy phones during a nearly year-long hacking campaign.

Researchers at Palo Alto Networks’ Unit 42 said the spyware, which they call “Landfall,” was first discovered in July 2024 and relied on exploiting a vulnerability in Galaxy phone software that was unknown to Samsung at the time, a type of vulnerability known as zero-day.

Unit 42 said the flaw could be abused by sending a malicious image to a victim’s phone, potentially delivered through a messaging app, and that the attacks may not have required any interaction from the victim.

Samsung patched the security flaw — tracked as CVE-2025-21042 — in April 2025, but details of the spyware campaign abusing the flaw were not previously reported.

The researchers said it is not known which surveillance company developed the Landfall spyware, nor is it known how many individuals were targeted as part of the campaign. But researchers said the attacks likely targeted individuals in the Middle East.

Itai Cohen, one of Unit 42’s senior principal researchers, told TechCrunch that the hacking campaign consisted of a “precision attack” on specific individuals and not widely distributed malware, suggesting that the attacks were likely driven by espionage.

Unit 42 found that the Landfall spyware shared an overlapping digital infrastructure used by a well-known surveillance vendor called Stealth Falcon, which had previously been seen in spyware attacks against Emirati journalists, activists and dissidents since 2012. But researchers said the links to Stealth Falcon, while interesting, were not enough to clearly attribute the attacks to a specific government agent.

Unit 42 said the Landfall spyware samples they discovered were uploaded to VirusTotal, a malware scanning service, from individuals in Morocco, Iran, Iraq and Turkey throughout 2024 and early 2025.

Turkey’s National Cyber ​​Preparedness Team, known as USOM, flagged one of the IP addresses connected to by the Landfall spyware as malicious, which Unit 42 said supports the theory that individuals in Turkey may have been targeted.

Like other government spyware, Landfall is capable of extensive device monitoring, such as accessing a victim’s data, including photos, messages, contacts, and call logs, as well as tapping into a device’s microphone and tracking its precise location.

Unit 42 found that the spyware’s source code flagged five specific Galaxy phones, including the Galaxy S22, S23, S24 and some Z models, as targets. Cohen said that the vulnerability may also have been present on other Galaxy devices, and affected Android versions 13 to 15.

Samsung did not respond to a request for comment.