New Android spyware targeted Samsung phones for over a year
What's the story
A new Android spyware, dubbed "Landfall," has been discovered by security researchers at Palo Alto Networks's Unit 42. The malicious software targeted Samsung Galaxy phones in a year-long hacking campaign, exploiting a zero-day vulnerability in the phone's software. The flaw was first detected in July 2024 and was unknown to Samsung until it was patched in April 2025.
Attack method
Hackers exploited 0-day vulnerability in Samsung software
The zero-day vulnerability in Samsung's software was exploited by sending a specially crafted image to the target's phone, likely through a messaging app. The researchers from Unit 42 noted that these attacks may not have needed any interaction from the victim. Samsung patched this security flaw, tracked as CVE-2025-21042, in April 2025, but details of the spyware campaign exploiting it had not been previously reported.
Target profile
Attacks likely focused on individuals in the Middle East
The origin of the Landfall spyware remains unknown, as does the number of people targeted in this campaign. However, Unit 42 researchers believe that the attacks were likely aimed at people in the Middle East. Itay Cohen, a senior principal researcher at Unit 42, told TechCrunch that this hacking campaign was a "precision attack" on specific individuals rather than mass-distributed malware.
Possible links
Landfall spyware linked to known surveillance vendor Stealth Falcon
The Landfall spyware shares digital infrastructure with a known surveillance vendor called Stealth Falcon. This group has been linked to spyware attacks against Emirati journalists, activists, and dissidents since 2012. However, the researchers clarified that while these connections are interesting, they don't directly link the attacks to any specific government client.
Global reach
Turkey may have been a target of this campaign
Samples of the Landfall spyware were uploaded to VirusTotal, a malware scanning service, from users in Morocco, Iran, Iraq, and Turkey between 2024 and early 2025. Turkey's national cyber readiness team flagged one of the IP addresses associated with this spyware as malicious. This further supports the theory that people in Turkey may have been targeted by this campaign.
Surveillance scope
Spyware can extensively surveil victims, track location, access messages
Like other government spyware, Landfall can conduct extensive device surveillance. This includes accessing victims' data such as photos, messages, contacts, and call logs. It can also tap into the device's microphone and track their exact location. The spyware's source code mentioned five specific Galaxy phones, Galaxy S22, S23, S24, and some Z models, as potential targets. Cohen said the vulnerability may have existed on other Galaxy devices too and impacted Android versions 13 to 15.