Cybersecurity experts have identified an Android spyware that focused on Samsung Galaxy devices throughout a hacking operation that lasted almost a year.
Specialists from Palo Alto Networks’ Unit 42 reported that the spyware, named “Landfall,” was initially spotted in July 2024. It exploited a vulnerability in Galaxy phone software that Samsung was unaware of at the time—a so-called zero-day flaw.
According to Unit 42, attackers could exploit the vulnerability by sending a specially crafted image to the target’s device, most likely through a messaging platform, and the attack might not have required any action from the user.
Samsung addressed the vulnerability—identified as CVE-2025-21042—in April 2025, but this is the first time details about the spyware campaign using this flaw have come to light.
In a blog post, the researchers noted that it remains unclear which surveillance company created the Landfall spyware or how many people were affected. However, they believe the operation mainly targeted individuals in the Middle East.
Itay Cohen, a senior principal researcher at Unit 42, explained to TechCrunch that the campaign was a “precision attack” aimed at particular individuals rather than a widespread malware outbreak, suggesting an espionage motive.
Unit 42 discovered that Landfall’s digital infrastructure overlaps with that of a known surveillance group called Stealth Falcon, which has previously been linked to spyware attacks on journalists, activists, and dissidents from the UAE since 2012. Still, the researchers said the connection to Stealth Falcon was not strong enough to definitively tie the campaign to any specific government client.
The team found that samples of the Landfall spyware had been uploaded to VirusTotal, a malware analysis platform, by users in Morocco, Iran, Iraq, and Turkey during 2024 and early 2025.
Turkey’s national cyber defense agency, USOM, identified one of the IP addresses used by Landfall as malicious, which Unit 42 said supports the idea that Turkish users may have been among the targets.
Similar to other state-sponsored spyware, Landfall can conduct extensive surveillance on devices, such as accessing the victim’s files, photos, messages, contacts, call history, activating the microphone, and tracking exact locations.
Unit 42 also noted that the spyware’s code specifically mentioned five Galaxy models, including the Galaxy S22, S23, S24, and certain Z series devices, as intended targets. Cohen added that the vulnerability could have affected other Galaxy models as well, impacting Android versions 13 to 15.
Samsung did not provide a comment when contacted.
