Security researchers discovered an Android spyware that targeted Samsung Galaxy phones during a nearly year-long hacking campaign.
Researchers at the Palo Alto Networks’ Unit 42 said the spyware, which they called “Landfall,” was first detected in July 2024 and relied on exploiting a security flaw in Galaxy phone software that was unknown to Samsung at the time, a type of vulnerability known as a zero-day.
Unit 42 said the flaw could be exploited by sending a maliciously crafted image to a vulnerable phone, possibly delivered via a messaging app, and attacks may not require any interaction from the victim.
Samsung patched The security flaw — tracked as CVE-2025-21042 — in April 2025, but details of the spyware campaign exploiting the flaw were not previously reported.
Researchers Dr In a blog post It is not known which surveillance vendor developed the Landfall spyware, nor how many individuals were targeted as part of the campaign. But the researchers said the attacks likely targeted individuals in the Middle East.
Itay Cohen, a senior principal researcher at Unit 42, told TechCrunch that the hacking campaign consisted of a “precision attack” on specific individuals and not a mass-distributed malware, indicating that the attacks were likely driven by espionage.
Unit 42 found that Landfall spyware shares overlapping digital infrastructure dubbed being used by a known surveillance vendor. Stealth FalconThis has previously been seen in spyware attacks against Emirati journalists, activists and dissidents as far back as 2012. But researchers said the connections to Stealth Falcon, while intriguing, weren’t enough to clearly attribute the attack to a specific government customer.
Unit 42 said the landfall spyware samples they discovered were uploaded to VirusTotal, a malware scanning service, by individuals in Morocco, Iran, Iraq and Turkey in 2024 and early 2025.
Known as Turkey’s National Cyber Readiness Team USOMLandfall spyware flagged one of the connected IP addresses as malicious, which Unit 42 said supports the theory that individuals in Turkey may have been targeted.
Like other government spyware, Landfall is capable of extensive device surveillance, such as accessing victims’ data including photos, messages, contacts and call logs, as well as tapping the device’s microphone and tracking their precise location.
Unit 42 found that the spyware’s source code mentioned five specific Galaxy phones as targets, including the Galaxy S22, S23, S24 and some Z models. Cohen said the vulnerability may also be present in other Galaxy devices and affected Android versions 13 through 15.
Samsung did not respond to a request for comment.