‘landfall’ Spyware Abused Zero-day To Hack Samsung Galaxy Phones

Security researchers person discovered an Android spyware that targeted Samsung Galaxy phones during a astir year-long hacking campaign.

Researchers astatine Palo Alto Networks’ Unit 42 said nan spyware, which they telephone “Landfall,” was first detected successful July 2024 and relied connected exploiting a information flaw successful nan Galaxy telephone package that was chartless to Samsung astatine nan time, a type of vulnerability known arsenic a zero-day. 

Unit 42 said nan flaw could beryllium abused by sending a maliciously crafted image to a victim’s phone, apt delivered done a messaging app, and that nan attacks whitethorn not person required immoderate relationship from nan victim. 

Samsung patched nan information flaw — tracked arsenic CVE-2025-21042 — successful April 2025, but specifications of nan spyware run abusing nan flaw person not been antecedently reported.

The researchers said it’s not known which surveillance vendor developed nan Landfall spyware, nor is it known really galore individuals were targeted arsenic portion of nan campaign. But nan researchers said that nan attacks apt targeted individuals successful nan Middle East.

Itay Cohen, a elder main interrogator astatine Unit 42, told TechCrunch that nan hacking run consisted of a “precision attack” connected circumstantial individuals and not a mass-distributed malware, which indicates that nan attacks were apt driven by espionage.

Unit 42 recovered that nan Landfall spyware shares overlapping integer infrastructure utilized by a known surveillance vendor dubbed Stealth Falcon, which has been antecedently seen successful spyware attacks against Emirati journalists, activists, and dissidents arsenic acold backmost arsenic 2012. But nan researchers said that nan links pinch Stealth Falcon, while intriguing, were not capable to intelligibly property nan attacks to a peculiar authorities customer.

Unit 42 said that nan Landfall spyware samples that they discovered had been uploaded to VirusTotal, a malware scanning service, from individuals successful Morocco, Iran, Iraq, and Turkey passim 2024 and early 2025.

Turkey’s nationalist cyber readiness team, known arsenic USOM, flagged 1 of nan IP addresses that nan Landfall spyware connected to arsenic malicious, which Unit 42 said supports nan mentation that individuals successful Turkey whitethorn person been targeted.

Much for illustration different authorities spyware, Landfall is tin of wide instrumentality surveillance, specified arsenic accessing nan victim’s data, including photos, messages, contacts and telephone logs, arsenic good arsenic nan tapping of nan device’s microphone and search their precise location.

Unit 42 recovered that nan spyware’s root codification referenced 5 circumstantial Galaxy phones, including nan Galaxy S22, S23, S24, and immoderate Z models, arsenic targets. Cohen said that nan vulnerability whitethorn person besides been coming connected different Galaxy devices, and affected Android versions 13 done 15. 

Samsung did not respond to a petition for comment.