Safety researchers have found an Android spy ware that focused Samsung Galaxy telephones throughout a virtually year-long hacking marketing campaign.
Researchers at Palo Alto Networks’ Unit 42 mentioned the spy ware, which they name “Landfall,” was first detected in July 2024 and relied on exploiting a safety flaw within the Galaxy cellphone software program that was unknown to Samsung on the time, a sort of vulnerability often known as a zero-day.
Unit 42 mentioned the flaw could possibly be abused by sending a maliciously crafted picture to a sufferer’s cellphone, probably delivered by a messaging app, and that the assaults might not have required any interplay from the sufferer.
Samsung patched the safety flaw — tracked as CVE-2025-21042 — in April 2025, however particulars of the spy ware marketing campaign abusing the flaw haven’t been beforehand reported.
The researchers mentioned in a blog post that it’s not recognized which surveillance vendor developed the Landfall spy ware, neither is it recognized what number of people have been focused as a part of the marketing campaign. However the researchers mentioned that the assaults probably focused people within the Center East.
Itay Cohen, a senior principal researcher at Unit 42, advised TechCrunch that the hacking marketing campaign consisted of a “precision assault” on particular people and never a mass-distributed malware, which signifies that the assaults have been probably pushed by espionage.
Unit 42 discovered that the Landfall spy ware shares overlapping digital infrastructure utilized by a recognized surveillance vendor dubbed Stealth Falcon, which has been beforehand seen in spy ware assaults towards Emirati journalists, activists, and dissidents way back to 2012. However the researchers mentioned that the hyperlinks with Stealth Falcon, whereas intriguing, weren’t sufficient to obviously attribute the assaults to a specific authorities buyer.
Unit 42 mentioned that the Landfall spy ware samples that they found had been uploaded to VirusTotal, a malware scanning service, from people in Morocco, Iran, Iraq, and Turkey all through 2024 and early 2025.
Turkey’s nationwide cyber readiness staff, often known as USOM, flagged one of many IP addresses that the Landfall spy ware related to as malicious, which Unit 42 mentioned helps the speculation that people in Turkey might have been focused.
Very similar to different authorities spy ware, Landfall is able to broad gadget surveillance, corresponding to accessing the sufferer’s information, together with images, messages, contacts and name logs, in addition to the tapping of the gadget’s microphone and monitoring their exact location.
Unit 42 discovered that the spy ware’s supply code referenced 5 particular Galaxy telephones, together with the Galaxy S22, S23, S24, and a few Z fashions, as targets. Cohen mentioned that the vulnerability might have additionally been current on different Galaxy units, and affected Android variations 13 by 15.
Samsung didn’t reply to a request for remark.
