Spyware Targets Samsung Galaxy Phones Using Zero-Day Vulnerability

Security researchers have uncovered a sophisticated Android spyware campaign, dubbed “Landfall,” that specifically targeted Samsung Galaxy phones over nearly a year. According to experts at Palo Alto Networks’ Unit 42, the spyware was first detected in July 2024 and exploited a previously unknown security vulnerability in the Galaxy phone software, classified as a zero-day flaw. This vulnerability allowed hackers to send a maliciously crafted image to victims’ devices, potentially through messaging applications, without requiring any interaction from the user.

Samsung addressed the security flaw, identified as CVE-2025-21042, in April 2025. Despite this patch, the details surrounding the Landfall spyware campaign had not been reported until now. The exact identity of the vendor behind the spyware remains unclear, and the number of individuals targeted is still unknown. However, Unit 42 indicated that the campaign primarily focused on individuals in the Middle East.

Targeted Espionage Campaign

Itay Cohen, a senior principal researcher at Unit 42, described the hacking campaign as a “precision attack” aimed at specific individuals rather than a broad distribution of malware. This suggests a motive rooted in espionage, rather than random cybercrime. Unit 42 noted that the Landfall spyware shares digital infrastructure with a known surveillance vendor called Stealth Falcon. This group has a history of targeting Emirati journalists, activists, and dissidents since 2012.

While the association with Stealth Falcon raises questions, Unit 42 emphasized that it does not provide enough evidence to definitively link the attacks to a specific government client. The spyware samples discovered were uploaded to VirusTotal, a malware scanning service, from locations including Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. Notably, Turkey’s national cyber readiness team, known as USOM, flagged one of the connected IP addresses as malicious, bolstering the theory that individuals in Turkey were among the targets.

Capabilities and Targeted Devices

The Landfall spyware is designed for extensive device surveillance. It can access a victim’s data, including photos, messages, contacts, and call logs. Additionally, it can tap into the device’s microphone and track the user’s precise location. Unit 42 identified that the spyware’s source code referenced five specific Galaxy phone models, including the Galaxy S22, S23, S24, and several Z models. Cohen noted that the vulnerability could also affect other Galaxy devices running Android versions 13 through 15.

Despite the serious implications of this discovery, Samsung has yet to respond to inquiries regarding the spyware campaign and its impact. The revelations surrounding Landfall highlight the ongoing risks posed by sophisticated cyber threats, particularly in regions with heightened political tensions. As the landscape of digital security continues to evolve, the need for robust protections against such targeted attacks becomes increasingly urgent.