Security researchers discovered an Android spyware targeting Samsung Galaxy phones during a nearly year-long hacking campaign.
Researchers at Palo Alto Networks’ Unit 42 said the spyware, which they call “Landfall,” was first detected in July 2024 and relied on exploiting a security flaw in Galaxy phone software unknown to Samsung at the time, a type of vulnerability known as a zero-day.
Section 42 said the flaw could be abused by sending a maliciously crafted image to a victim’s phone, likely delivered via a messaging app, and that attacks could require no interaction from the victim.
Samsung patched the security flaw — identified as CVE-2025-21042 — in April 2025, but details of the spyware campaign exploiting the flaw have not previously been reported.
the researchers said in a blog post that it is not known which surveillance vendor developed the Landfall spyware, nor is it known how many people were targeted as part of the campaign. However, investigators said the attacks likely targeted people in the Middle East.
Itay Cohen, senior principal investigator at Unit 42, told TechCrunch that the hacking campaign consisted of a “precision attack” on specific individuals rather than mass-distributed malware, indicating that the attacks were likely due to espionage.
Unit 42 found that the Landfall spyware shares overlapping digital infrastructure used by a well-known surveillance vendor called Stealth Falconpreviously seen in spyware attacks against Emirati journalists, activists and dissidents as early as 2012. However, researchers said the links to Stealth Falcon, while intriguing, were not enough to clearly attribute the attacks to a specific government client.
Section 42 said the Landfall spyware samples they discovered had been uploaded to VirusTotal, a malware scanning service, by people in Morocco, Iran, Iraq and Turkey during 2024 and early 2025.
Turkey’s national cyber preparedness team, known as USOMflagged one of the IP addresses the Landfall spyware linked to as malicious, which Section 42 said supports the theory that people in Turkey may have been targeted.
Like other government eavesdropping programs, Landfall is capable of broad device surveillance, such as accessing the victim’s data, including photos, messages, contacts and call logs, as well as tapping the device’s microphone and tracking its exact location.
Unit 42 found that the spyware’s source code targeted five specific Galaxy phones, including the Galaxy S22, S23, S24, and some Z models. Cohen said the vulnerability may have existed in other Galaxy devices and affected Android versions 13 through 15.
Samsung did not respond to a request for comment.
