BREAKING: Security researchers have uncovered a sophisticated Android spyware, dubbed “Landfall,” that has targeted Samsung Galaxy phones in a nearly year-long hacking campaign. Details of this alarming discovery were just announced by Palo Alto Networks’ Unit 42, revealing that the spyware exploits a zero-day vulnerability in Galaxy software, first detected in July 2024.
The spyware leverages a previously unknown security flaw, tracked as CVE-2025-21042, allowing attackers to infiltrate devices by sending a maliciously crafted image via messaging apps. Disturbingly, these attacks likely required no interaction from victims, raising serious concerns about user safety and device security.
Samsung has since patched the security flaw in April 2025, but this new information about the spyware campaign has just come to light. The precise number of individuals targeted remains unclear, but researchers indicate that the campaign primarily focused on specific individuals in the Middle East.
“It’s a precision attack,” explained Itay Cohen, a senior principal researcher at Unit 42, in an interview with TechCrunch. This is not a case of mass-distributed malware; instead, it suggests a targeted espionage effort against select individuals.
The spyware shows connections to a known surveillance vendor, Stealth Falcon, which has previously been implicated in attacks against Emirati journalists and dissidents since as early as 2012. While these links are intriguing, they do not definitively attribute the attacks to any specific government entity.
Unit 42’s investigation revealed that samples of the Landfall spyware were uploaded to VirusTotal from individuals in Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. Turkey’s national cyber readiness team, known as USOM, flagged one of the spyware’s associated IP addresses as malicious, further supporting the theory that individuals in Turkey may have been targeted.
The capabilities of the Landfall spyware are extensive, allowing for invasive device surveillance. It can access victims’ data, including photos, messages, contacts, call logs, and even tap into the device’s microphone and track exact locations. The researchers found that the spyware’s source code referenced several Galaxy models, including the Galaxy S22, S23, and S24, along with some Z models, indicating a broad range of affected devices. Notably, the vulnerability may also extend to other Galaxy products running Android versions 13 through 15.
As cybersecurity threats continue to evolve, this alarming discovery underscores the urgent need for vigilance among Galaxy phone users, particularly those in high-risk regions. With the potential for targeted surveillance on the rise, it has never been more crucial for individuals to stay informed about security updates.
Samsung has yet to respond to requests for comment regarding the implications of this spyware or the specific measures being taken to prevent future attacks.
WHAT’S NEXT: As this story develops, users of Samsung Galaxy devices are advised to ensure their software is updated and to remain cautious of unsolicited messages, especially those containing images. The cybersecurity community is closely monitoring the situation for further developments.
Stay tuned for updates as more information becomes available.
