URGENT UPDATE: Security researchers have just revealed a sophisticated Android spyware, dubbed “Landfall,” that exploited a critical zero-day vulnerability to hack Samsung Galaxy phones. Discovered by Palo Alto Networks’ Unit 42, the spyware targeted users over nearly a year, with attacks first identified in July 2024.
The spyware leveraged an unpatched security flaw in Galaxy phone software, formally identified as CVE-2025-21042. This vulnerability could be exploited by sending a maliciously crafted image to victims’ devices, likely through popular messaging apps, and alarmingly, it may have required no interaction from the user. Samsung addressed this flaw in April 2025, but details regarding the spyware’s extensive campaign have only now emerged.
Unit 42 indicated that the attacks primarily focused on individuals in the Middle East, suggesting a targeted espionage operation. Itay Cohen, a senior principal researcher at Unit 42, emphasized that these were not random, mass-distributed attacks but rather “precision attacks” aimed at specific individuals.
While the exact origin of the Landfall spyware remains unconfirmed, researchers noted its overlap with digital infrastructure linked to the notorious surveillance vendor, Stealth Falcon. This group has a documented history of targeting journalists, activists, and dissidents, particularly in Turkey and the broader region, dating back to 2012.
Unit 42’s findings revealed that samples of the spyware were uploaded to VirusTotal from various locations, including Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. A notable connection to a malicious IP flagged by Turkey’s national cyber readiness team, USOM, reinforces the theory that specific individuals in Turkey were likely victims of this hacking campaign.
The Landfall spyware is capable of extensive device surveillance, allowing attackers to access personal data such as photos, messages, contacts, and call logs. Moreover, it can tap into the device’s microphone and track the user’s precise location. The spyware specifically referenced five models of Galaxy phones, including the Galaxy S22, S23, and S24, indicating that a wide range of users could be at risk. Cohen also advised that the vulnerability could have affected other Galaxy devices running Android versions 13 through 15.
As the investigation continues, the implications of this spyware discovery are significant, emphasizing the urgent need for users to remain vigilant and for manufacturers like Samsung to prioritize security updates.
Stay tuned for further updates as more information becomes available on this developing story.
