Security researchers have uncovered a sophisticated spyware campaign that specifically targeted Samsung Galaxy phones over the past year. Dubbed “Landfall,” the spyware exploited a previously unknown security vulnerability – a “zero-day” – in the Galaxy phone software, highlighting the persistent threat posed by advanced surveillance tools.
The Zero-Day Vulnerability and Its Exploitation
The spyware, first detected in July 2024, leveraged a flaw in Samsung’s Galaxy software that Samsung was unaware of at the time. This vulnerability allowed attackers to potentially install the spyware on a victim’s phone simply by sending a maliciously crafted image, likely through a messaging application. Worryingly, this attack may not have required any interaction from the phone’s user, making it extremely difficult to detect and prevent.
Samsung addressed the security vulnerability, now identified as CVE-2025-21042, in April 2025. However, until now, details about the spyware campaign actively exploiting this vulnerability hadn’s been publicly disclosed.
Identifying the Tactics and Potential Targets
The researchers at Palo Alto Networks’ Unit 42 have noted that this appears to be a “precision attack” targeting specific individuals, rather than a widespread malware distribution. This strongly suggests the campaign was driven by espionage, with attackers focused on gathering intelligence on select targets.
While the specific developer of the Landfall spyware remains unknown, Unit 42 has found intriguing links to a known surveillance vendor called Stealth Falcon. Stealth Falcon has been previously implicated in spyware attacks against Emirati journalists, activists, and dissidents dating back to 2012. The overlap in digital infrastructure between Landfall and Stealth Falcon raises suspicions, though a direct attribution to a particular government remains unconfirmed.
Geographic Scope and Device Targeting
Analysis of Landfall spyware samples uploaded to VirusTotal revealed activity originating from Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. Notably, Turkey’s national cyber readiness team (USOM) flagged one of the IP addresses used by Landfall as malicious, further supporting the theory that individuals within Turkey were targeted.
The spyware’s code specifically references five Galaxy phone models, including the Galaxy S22, S23, and S24, as well as some Z series devices. Researchers believe the vulnerability may have extended to other Galaxy devices running Android versions 13 through 15.
Capabilities of Landfall Spyware
Similar to other government-grade spyware, Landfall offers broad device surveillance capabilities. It is capable of accessing a wide range of personal data, including photos, messages, contacts, and call logs. Furthermore, it can activate the device’s microphone for audio recording and track the user’s precise location.
This latest discovery underscores the ongoing challenges posed by sophisticated spyware and the need for heightened vigilance among individuals at risk of targeted surveillance.
The emergence of Landfall highlights the persistent and evolving threat of targeted spyware attacks, particularly against individuals in regions known for political and social activism. While Samsung has patched the specific vulnerability, the incident serves as a reminder of the importance of keeping devices updated and exercising caution when opening attachments or links from untrusted sources.
