Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Security researchers have discovered Android spyware targeting Samsung Galaxy phones during a nearly year-long hacking campaign.
Researchers at Unit 42 of Palo Alto Networks said that the spyware, which they call “Landfall,” was first discovered in July 2024 and relied on exploiting a security vulnerability in the Galaxy phone software that was not known to Samsung at the time, a type of vulnerability known as Zero day.
Unit 42 said the flaw could be abused by sending a malicious image to a victim’s phone, potentially delivered through a messaging app, and that the attacks may not have required any interaction from the victim.
Samsung Corrected The vulnerability — tracked as CVE-2025-21042 — was released in April 2025, but details of the spyware campaign that abused the vulnerability were not previously reported.
The researchers said it is not known which surveillance company developed the Landfall spyware, nor is it known how many individuals were targeted as part of the campaign. But researchers said the attacks likely targeted individuals in the Middle East.
Itai Cohen, one of Unit 42’s senior principal researchers, told TechCrunch that the hacking campaign consisted of a “precision attack” on specific individuals and not widely distributed malware, suggesting that the attacks were likely driven by espionage.
Unit 42 found that the Landfall spyware shared the overlapping digital infrastructure used by a well-known surveillance vendor Ghost FalconWhich had previously been seen in spyware attacks against Emirati journalists, activists and dissidents since 2012. But researchers said the links to Stealth Falcon, while interesting, were not enough to clearly attribute the attacks to a specific government agent.
Unit 42 said the Landfall spyware samples they discovered were uploaded to VirusTotal, a malware scanning service, from individuals in Morocco, Iran, Iraq and Turkey throughout 2024 and early 2025.
Turkey’s National Cyber Preparedness Team, known as USOMmarked one of the IP addresses contacted by the Landfall spyware as malicious, which Unit 42 said supports the theory that individuals in Türkiye may have been targeted.
Like other government spyware, Landfall is capable of extensive device monitoring, such as accessing a victim’s data, including photos, messages, contacts, and call logs, as well as tapping into a device’s microphone and tracking its precise location.
Unit 42 found that the spyware’s source code flagged five specific Galaxy phones, including the Galaxy S22, S23, S24 and some Z models, as targets. Cohen said that the vulnerability may also have been present on other Galaxy devices, and affected Android versions 13 to 15.
Samsung did not respond to a request for comment.