UPDATE: Security researchers have unveiled a significant hacking campaign using a new Android spyware dubbed “Landfall,” which specifically targeted Samsung Galaxy phones for nearly a year. Discovered by Palo Alto Networks’ Unit 42, this spyware exploited a previously unknown security vulnerability, known as a zero-day, in the Galaxy software, putting millions of users at risk.
The spyware was first detected in July 2024 and is believed to have been delivered through a maliciously crafted image sent via messaging apps, potentially requiring no interaction from victims. This alarming discovery raises urgent concerns about the security of personal data for Galaxy phone users worldwide.
Samsung issued a patch for the exploited flaw, tracked as CVE-2025-21042, in April 2025, but details surrounding the scope and impact of the Landfall spyware remained unknown until now. Itay Cohen, a senior principal researcher at Unit 42, described the campaign as a “precision attack” aimed at specific individuals, likely linked to espionage efforts in the Middle East.
Unit 42’s findings indicate that this spyware shares digital infrastructure with Stealth Falcon, a known surveillance vendor implicated in prior attacks on journalists and activists in the region. While links to Stealth Falcon are notable, researchers have not definitively attributed the attacks to any government entity.
Throughout 2024 and early 2025, samples of Landfall spyware were uploaded to VirusTotal from individuals located in Morocco, Iran, Iraq, and Turkey. The Turkish national cyber readiness team, known as USOM, flagged one of the spyware’s IP addresses as malicious, suggesting a targeted approach towards users in Turkey.
The spyware is capable of extensive device surveillance, allowing access to sensitive data such as photos, messages, contacts, and call logs. It can also activate the device’s microphone and track precise locations, heightening the threat to personal privacy. Unit 42 identified that Landfall specifically referenced the Galaxy S22, S23, S24, and select Z models as targets. Experts warn that other Galaxy devices may also be vulnerable, affecting Android versions 13 through 15.
The implications of this spyware are staggering, particularly for individuals in the Middle East at risk of being monitored. With the recent revelation of the spyware’s capabilities, users are urged to remain vigilant and ensure their devices are updated with the latest security patches.
Next steps: As authorities investigate the origins and target demographics of the Landfall spyware, users of Samsung Galaxy devices should immediately update their software and remain alert for any suspicious activity. Stay tuned for further developments as this urgent story unfolds.
