‘Landfall’ spyware abused zero-day to hack Samsung Galaxy phones

Security researchers at Palo Alto Networks’ Unit 42 have uncovered a sophisticated Android spyware campaign that specifically targeted Samsung Galaxy smartphones throughout early this year.

The spyware, dubbed “Landfall,” was first detected in July 2024 and exploited a previously unknown zero-day vulnerability in Samsung’s proprietary Android software, allowing hackers to infect devices without user interaction.

According to the Unit 42 team, the exploit involved sending a maliciously crafted image to a victim’s phone—potentially through a messaging app—that triggered the flaw automatically once received.

Zero-Day Exploit and Samsung’s Response

The vulnerability, tracked as CVE-2025-21042, allowed remote attackers to gain full access to targeted Galaxy devices. Samsung quietly patched the issue in April 2025, but this is the first public disclosure linking the fix to an active spyware campaign.

“It’s unclear who developed the Landfall spyware or how many victims were affected,” the researchers said in their blog post. “However, all signs suggest that this was a precision attack, not a widespread malware campaign.”

Unit 42 senior researcher Itay Cohen described Landfall as a targeted espionage tool designed to infiltrate the phones of specific individuals, likely in the Middle East.

Possible Ties to Known Surveillance Group

While no developer or state actor has been definitively linked to the spyware, Unit 42 discovered that Landfall’s command-and-control infrastructure overlaps with domains and servers previously attributed to Stealth Falcon, a well-documented surveillance vendor believed to have operated on behalf of Emirati authorities since 2012.

Stealth Falcon’s past operations have targeted journalists, activists, and dissidents across the Gulf region. Still, researchers cautioned that the shared infrastructure “is not sufficient to establish attribution to a specific government or vendor.”

Global Traces and Regional Targets

The Landfall malware samples were uploaded to VirusTotal—a public malware analysis platform—between 2024 and early 2025 from devices in Morocco, Iran, Iraq, and Turkey, suggesting the campaign’s regional focus.

Turkey’s National Cyber Readiness Centre (USOM) later flagged one of the IP addresses associated with Landfall as malicious, lending further evidence that Turkish users were among the targets.

Capabilities: Full-Scale Device Surveillance

Like other government-grade spyware, Landfall can perform comprehensive device surveillance, giving attackers full access to:

• Photos, videos, and stored documents
• Messages, contacts, and call logs
• Real-time microphone and camera feeds
• Precise GPS location data

Unit 42’s analysis found that the spyware’s code explicitly referenced five Galaxy devices — including the Galaxy S22, S23, S24, and several Z-series foldable models — as primary targets.

Cohen added that the flaw likely affected multiple Galaxy devices running Android versions 13 through 15.

Samsung Yet to Comment

Despite patching the vulnerability in April 2025, Samsung has not publicly acknowledged the Landfall campaign or responded to requests for comment.

The discovery highlights growing concerns about the proliferation of commercial spyware and government-backed hacking operations, particularly in regions where surveillance technology has been repeatedly deployed against journalists, dissidents, and human rights activists.