UPDATE: A new report reveals that the Landfall spyware has been exploiting a critical zero-day vulnerability to hack Samsung Galaxy phones in a targeted campaign lasting nearly a year. Discovered by researchers at Palo Alto Networks’ Unit 42, the spyware first came to light in July 2024 and utilized a previously unknown flaw in Galaxy phone software, tracked as CVE-2025-21042.
The spyware’s method of attack is alarming. Victims were targeted through maliciously crafted images, likely delivered via messaging apps, potentially without any interaction from the victim. This makes the threat particularly insidious, as users may not even be aware they are being compromised.
Samsung responded to this urgent security risk by patching the vulnerability in April 2025, but critical details about the spyware’s campaign had not been disclosed until now. While the specific number of individuals targeted remains unclear, researchers speculate that the attacks predominantly affected individuals in the Middle East.
Itay Cohen, a senior principal researcher at Unit 42, described the hacking campaign as a “precision attack” aimed at specific individuals, indicating a higher likelihood of espionage rather than mass distribution of malware. The spyware shares digital infrastructure with the notorious surveillance vendor Stealth Falcon, known for previous attacks on Emirati journalists and activists dating back to 2012.
Unit 42 discovered that samples of the Landfall spyware were uploaded to VirusTotal from users located in Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. The Turkish national cyber readiness team, USOM, flagged one of the IP addresses linked to Landfall as malicious, further supporting the theory that individuals in Turkey were among those targeted.
The capabilities of Landfall spyware are extensive, allowing broad surveillance of infected devices. It can access sensitive data, including photos, messages, contacts, and call logs, as well as activate the device’s microphone and track precise locations. The source code revealed that it specifically targets five Galaxy models, including the Galaxy S22, S23, and S24, with indications that other Galaxy devices may also be vulnerable due to this flaw.
As the implications of this spyware campaign unfold, experts urge Samsung users to ensure their devices are updated to the latest software version. Immediate vigilance is necessary, especially for those in regions where the spyware has been active.
The investigation continues as researchers strive to uncover the full extent of the Landfall spyware’s impact and its ties to potential government espionage. Users are encouraged to stay informed and take steps to protect their personal information.
Stay tuned for further updates on this developing story, as the cybersecurity landscape rapidly evolves.
