Safety researchers have found an Android spy ware that focused Samsung Galaxy telephones throughout a virtually year-long hacking marketing campaign.
Researchers at Palo Alto Networks’ Unit 42 mentioned the spy ware, which they name “Landfall,” was first detected in July 2024 and relied on exploiting a safety flaw within the Galaxy cellphone software program that was unknown to Samsung on the time, a kind of vulnerability referred to as a zero-day.
Unit 42 mentioned the flaw may very well be abused by sending a maliciously crafted picture to a sufferer’s cellphone, possible delivered by a messaging app, and that the assaults might not have required any interplay from the sufferer.
Samsung patched the safety flaw — tracked as CVE-2025-21042 — in April 2025, however particulars of the spy ware marketing campaign abusing the flaw haven’t been beforehand reported.
The researchers mentioned in a weblog put up that it’s not identified which surveillance vendor developed the Landfall spy ware, neither is it identified what number of people have been focused as a part of the marketing campaign. However the researchers mentioned that the assaults possible focused people within the Center East.
Itay Cohen, a senior principal researcher at Unit 42, instructed TechCrunch that the hacking marketing campaign consisted of a “precision assault” on particular people and never a mass-distributed malware, which signifies that the assaults have been possible pushed by espionage.
Unit 42 discovered that the Landfall spy ware shares overlapping digital infrastructure utilized by a identified surveillance vendor dubbed Stealth Falcon, which has been beforehand seen in spy ware assaults in opposition to Emirati journalists, activists, and dissidents way back to 2012. However the researchers mentioned that the hyperlinks with Stealth Falcon, whereas intriguing, weren’t sufficient to obviously attribute the assaults to a selected authorities buyer.
Unit 42 mentioned that the Landfall spy ware samples that they found had been uploaded to VirusTotal, a malware scanning service, from people in Morocco, Iran, Iraq, and Turkey all through 2024 and early 2025.
Turkey’s nationwide cyber readiness workforce, referred to as USOM, flagged one of many IP addresses that the Landfall spy ware linked to as malicious, which Unit 42 mentioned helps the speculation that people in Turkey might have been focused.
Very similar to different authorities spy ware, Landfall is able to broad gadget surveillance, similar to accessing the sufferer’s knowledge, together with pictures, messages, contacts and name logs, in addition to the tapping of the gadget’s microphone and monitoring their exact location.
Unit 42 discovered that the spy ware’s supply code referenced 5 particular Galaxy telephones, together with the Galaxy S22, S23, S24, and a few Z fashions, as targets. Cohen mentioned that the vulnerability might have additionally been current on different Galaxy gadgets, and affected Android variations 13 by 15.
Samsung didn’t reply to a request for remark.