Landfall Spyware: Zero-Day Hack Targets Samsung Galaxy Phones

Android Spyware Targets Samsung Galaxy Phones

A sophisticated spyware, dubbed “Landfall,” has been identified as targeting Samsung Galaxy phones in a prolonged hacking operation spanning almost a year.

Discovery and Initial Detection

Security experts at Palo Alto Networks’ Unit 42 initially detected the spyware in July 2024. The malware exploited a previously unknown security vulnerability within the Galaxy phone software.

This type of flaw, known as a zero-day vulnerability, was not known to Samsung at the time of the initial attacks.

Attack Vector and Exploitation

The vulnerability allowed for exploitation through the delivery of a specially crafted image to a victim’s phone. This delivery likely occurred via a messaging application.

Notably, the attacks may not have necessitated any action on the part of the user, suggesting a potential for silent infection.

Patch and Reporting Delay

Samsung addressed the security flaw, identified as CVE-2025-21042, with a patch released in April 2025. However, details regarding the spyware campaign leveraging this flaw remained unreported until now.

Targeting and Attribution

The identity of the surveillance vendor responsible for developing the Landfall spyware remains unknown. Similarly, the exact number of individuals targeted by the campaign is currently unclear.

However, researchers believe the attacks were primarily focused on individuals located in the Middle East.

Precision Attack and Espionage

Itay Cohen, a senior principal researcher at Unit 42, characterized the hacking campaign as a “precision attack.” This suggests a focus on specific individuals rather than widespread malware distribution.

This targeted approach points towards a likely motivation of espionage.

Links to Stealth Falcon

The Landfall spyware shares digital infrastructure with a known surveillance vendor, Stealth Falcon. Stealth Falcon has been linked to previous spyware attacks targeting Emirati journalists, activists, and dissidents dating back to 2012.

While these connections are noteworthy, researchers emphasize that they are insufficient to definitively attribute the attacks to a specific government entity.

Geographic Distribution of Samples

Analysis of Landfall spyware samples uploaded to VirusTotal, a malware scanning service, revealed origins from individuals in Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025.

Turkish Targeting Indication

Turkey’s national cyber readiness team, USOM, identified an IP address connected to the Landfall spyware as malicious. This finding supports the possibility that individuals within Turkey were specifically targeted.

Spyware Capabilities

Like many government-grade spyware tools, Landfall possesses extensive surveillance capabilities.

These include access to user data such as photos, messages, contacts, and call logs, as well as the ability to activate the device’s microphone and track the user’s location.