Security researchers have discovered Android spyware targeting Samsung Galaxy phones during a nearly year-long hacking campaign.
Palo Alto Networks Unit 42 researchers said the spyware, called Landfall, was first detected in July 2024 and relied on exploiting a security flaw in Galaxy phone software that Samsung didn't know about at the time, a type of vulnerability known as a zero-day.
Unit 42 said the flaw could be exploited by sending a maliciously crafted image to a victim's phone, possibly delivered through a messaging app, and the attack may not have required any interaction from the victim.
Samsung patched this security flaw (tracked as CVE-2025-21042) in April 2025, but details of the spyware campaign that exploited this flaw were not previously reported.
Researchers said it is unclear which surveillance vendor developed the Landfall spyware, and it is also unclear how many individuals were targeted as part of the campaign. But researchers said the attack likely targeted individuals in the Middle East.
Itay Cohen, a senior principal investigator at Unit 42, told TechCrunch that the hacking campaign consisted of “precision attacks” against specific individuals rather than mass-distributed malware, indicating the attacks were likely the result of espionage.
Unit 42 discovered that Landfall spyware shares overlapping digital infrastructure used by a known surveillance vendor called Stealth Falcon. Stealth Falcon was seen in spyware attacks against journalists, activists, and dissidents in the United Arab Emirates as far back as 2012. However, researchers said that while the Stealth Falcon connection is interesting, it is not enough to definitively attribute the attack to a specific government customer.
Unit 42 said the Landfall spyware samples it discovered were uploaded to malware scanning service VirusTotal by individuals in Morocco, Iran, Iraq and Turkey between 2024 and early 2025.
Turkey's National Cyber Preparedness Team, known as USOM, flagged one of the IP addresses that the Landfall spyware was connecting to as malicious, and Unit 42 said this supports the theory that individuals within Turkey may have been targeted.
Like other government spyware, Landfall is capable of extensive device surveillance, including accessing victim data such as photos, messages, contacts, and call logs, as well as tapping the device's microphone and tracking its exact location.
Unit 42 discovered that the spyware's source code references five specific Galaxy phones as targets, including the Galaxy S22, S23, S24, and some Z models. Cohen said the vulnerability existed on other Galaxy devices and may have affected Android versions 13 to 15.
Samsung did not respond to a request for comment.