BREAKING: Security researchers have revealed a sophisticated spyware campaign dubbed “Landfall” that has been actively targeting Samsung Galaxy phones since July 2024. This alarming discovery by Palo Alto Networks’ Unit 42 highlights the exploitation of a zero-day vulnerability in Galaxy software, posing a significant threat to users, particularly in the Middle East.
The spyware leveraged a previously unknown flaw, tracked as CVE-2025-21042, allowing hackers to infiltrate devices by sending maliciously crafted images, likely through messaging apps. Notably, these attacks may have occurred without any user interaction, amplifying the risks for unsuspecting victims.
Samsung patched the security vulnerability in April 2025, but the implications of the Landfall spyware campaign have only now come to light. While the exact number of targets remains unconfirmed, the attacks appear to focus on specific individuals, suggesting a motive tied to espionage rather than mass malware distribution.
According to Itay Cohen, a senior principal researcher at Unit 42, this “precision attack” raises concerns over the potential involvement of state-sponsored surveillance efforts. The spyware shares digital infrastructure with the notorious Stealth Falcon surveillance vendor, linked to previous attacks against Emirati journalists and activists dating back to 2012.
Unit 42’s findings indicate that samples of Landfall spyware were uploaded to VirusTotal from individuals across Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. The Turkish national cyber readiness team, known as USOM, has flagged one of the IP addresses associated with the spyware as malicious, supporting the theory that individuals in Turkey were specifically targeted.
The spyware is capable of extensive device surveillance, accessing sensitive data such as photos, messages, contacts, and call logs. It can also activate the device’s microphone and track precise locations, heightening the threat to personal privacy and security.
Unit 42 identified that the spyware’s code references multiple Galaxy models, including the Galaxy S22, S23, and S24, indicating that devices running Android versions 13 through 15 may also be at risk. While Samsung has not responded to requests for comment, the implications of this spyware campaign are dire, as many users may remain unaware of their vulnerability.
As details continue to unfold, users of Samsung Galaxy devices are urged to stay vigilant and ensure that their software is updated to the latest security patches. The global community is now watching closely as researchers and authorities investigate the origins and impacts of the Landfall spyware campaign.
Stay tuned for more updates as this story develops.
