‘Landfall’ spyware abused zero-day to hack Samsung Galaxy phones

A recent investigation has unveiled a sophisticated Android spyware known as "Landfall," which specifically targeted Samsung Galaxy phones over the course of nearly a year. According to researchers from Palo Alto Networks' Unit 42, this malware was first identified in July 2024, exploiting a previously undisclosed security flaw in Galaxy phone software, categorized as a zero-day vulnerability. The spyware could infiltrate devices by sending a carefully crafted image to victims, presumably through messaging applications, and notably, these attacks often required no user interaction. Samsung addressed this critical security flaw, identified as CVE-2025-21042, in April 2025, yet prior information about the spyware campaign leveraging this vulnerability had not been made public. While the exact origin of the Landfall spyware remains unclear, researchers suspect that the campaign primarily targeted individuals in the Middle East. Itay Cohen, a senior principal researcher at Unit 42, characterized the hacking efforts as "precision attacks" aimed at select individuals rather than indiscriminate malware distribution, suggesting motives tied to espionage. Notably, the Landfall spyware shares infrastructure with the known surveillance vendor Stealth Falcon, which has a history of targeting Emirati journalists and activists since 2012. However, the available evidence is insufficient to definitively link these attacks to a specific governmental entity. Unit 42's findings indicated that samples of the spyware were uploaded to VirusTotal from users in Morocco, Iran, Iraq, and Turkey during 2024 and early 2025. Additionally, Turkey's national cyber readiness team, USOM, flagged one of the spyware's IP addresses as malicious, reinforcing the theory that Turkish individuals might have been among those targeted. Similar to other governmental spyware, Landfall possesses extensive surveillance capabilities, allowing it to access a victim's data—photos, messages, contacts, and call logs—along with the ability to activate the device's microphone and track the user's location. The spyware's source code identified five specific Galaxy models, including the Galaxy S22, S23, S24, and select Z models, as potential targets. Cohen also indicated that the vulnerability could have affected additional Galaxy devices and Android versions 13 through 15. Samsung has yet to respond to inquiries regarding this issue.