Urgent: Spyware “Landfall” Hacks Samsung Galaxy Phones Using Zero-Day

UPDATE: Security researchers have identified a new spyware named “Landfall” that has been actively targeting Samsung Galaxy phones during a nearly year-long hacking operation. The alarming findings from Palo Alto Networks’ Unit 42 reveal that this sophisticated malware exploited a previously unknown security vulnerability, known as a zero-day, first detected in July 2024.

The zero-day vulnerability, tracked as CVE-2025-21042, allowed attackers to compromise devices by sending maliciously crafted images, likely through messaging apps, without requiring any interaction from the victims. This level of stealth raises serious concerns about the growing sophistication of cyber espionage tactics.

Samsung addressed this critical flaw in April 2025, but details of the Landfall spyware’s operations have remained largely undisclosed until now. While the exact number of individuals affected is still unknown, researchers believe the campaign primarily targeted specific individuals in the Middle East, suggesting a focus on espionage rather than mass malware distribution.

According to Itay Cohen, a senior principal researcher at Unit 42, the campaign was characterized as a “precision attack,” indicating a targeted approach aimed at specific individuals rather than a broader assault. This aligns with previous findings linking the spyware to known surveillance vendor Stealth Falcon, notorious for its history of targeting Emirati journalists, activists, and dissidents since 2012.

Unit 42’s analysis uncovered that samples of the Landfall spyware were uploaded to malware scanning service VirusTotal from users in Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. Notably, Turkey’s national cyber readiness team, USOM, identified one of the spyware’s IP addresses as malicious, suggesting that individuals in Turkey may have been among the targets.

The spyware is capable of extensive device surveillance, including accessing photos, messages, contacts, call logs, and even tapping into the device’s microphone and tracking precise locations. Unit 42 has confirmed that the spyware targets multiple Galaxy models, including the Galaxy S22, S23, S24, and several Z models. There are indications that the vulnerability may also affect other Galaxy devices operating on Android versions 13 through 15.

As the investigation continues, the implications of this spyware discovery are profound. The potential for abuse in targeted surveillance scenarios underscores the urgent need for users to stay informed about their device security. Samsung has yet to respond to requests for comment regarding this serious breach.

NEXT STEPS: Users of affected Galaxy models are urged to update their devices immediately and remain vigilant against suspicious messages and attachments. As more information becomes available, it is crucial to monitor developments in this ongoing situation, particularly regarding the origins and motivations behind the Landfall spyware campaign.

This shocking revelation highlights the persistent threat posed by advanced cyberattacks and the necessity for robust cybersecurity measures in an increasingly connected world.