‘Landfall’ spyware abused zero-day to hack Samsung Galaxy phones

Security researchers have discovered an Android spyware that targeted Samsung Galaxy phones during a nearly year-long hacking campaign.

Researchers at Palo Alto Networks’ Unit 42 said the spyware, which they call “Landfall,” was first detected in July 2024 and relied on exploiting a security flaw in the Galaxy phone software that was unknown to Samsung at the time, a type of vulnerability known as a zero-day. 

Unit 42 said the flaw could be abused by sending a maliciously crafted image to a victim’s phone, likely delivered through a messaging app, and that the attacks may not have required any interaction from the victim. 

Samsung patched the security flaw — tracked as CVE-2025-21042 — in April 2025, but details of the spyware campaign abusing the flaw have not been previously reported.

The researchers said in a blog post that it’s not known which surveillance vendor developed the Landfall spyware, nor is it known how many individuals were targeted as part of the campaign. But the researchers said that the attacks likely targeted individuals in the Middle East.

Itay Cohen, a senior principal researcher at Unit 42, told TechCrunch that the hacking campaign consisted of a “precision attack” on specific individuals and not a mass-distributed malware, which indicates that the attacks were likely driven by espionage.

Unit 42 found that the Landfall spyware shares overlapping digital infrastructure used by a known surveillance vendor dubbed Stealth Falcon, which has been previously seen in spyware attacks against Emirati journalists, activists, and dissidents as far back as 2012. But the researchers said that the links with Stealth Falcon, while intriguing, were not enough to clearly attribute the attacks to a particular government customer.

Unit 42 said that the Landfall spyware samples that they discovered had been uploaded to VirusTotal, a malware scanning service, from individuals in Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025.

Turkey’s national cyber readiness team, known as USOM, flagged one of the IP addresses that the Landfall spyware connected to as malicious, which Unit 42 said supports the theory that individuals in Turkey may have been targeted.

Much like other government spyware, Landfall is capable of broad device surveillance, such as accessing the victim’s data, including photos, messages, contacts and call logs, as well as the tapping of the device’s microphone and tracking their precise location.

Unit 42 found that the spyware’s source code referenced five specific Galaxy phones, including the Galaxy S22, S23, S24, and some Z models, as targets. Cohen said that the vulnerability may have also been present on other Galaxy devices, and affected Android versions 13 through 15. 

Samsung did not respond to a request for comment.