Urgent: Samsung Galaxy Exploited by ‘Landfall’ Spyware Attack

UPDATE: Security researchers have uncovered a sophisticated spyware campaign targeting Samsung Galaxy phones, named “Landfall,” which has been active for nearly a year. Researchers from Palo Alto Networks’ Unit 42 confirmed that this spyware first emerged in July 2024 and exploited a previously unknown vulnerability in the Galaxy phone software, referred to as a zero-day flaw.

The implications of this discovery are significant. The spyware, which can infiltrate devices without user interaction, poses a serious threat to individuals, particularly in the Middle East. Victims were likely compromised through malicious images sent via messaging apps, allowing attackers to access sensitive data such as photos, messages, and even microphone recordings.

Unit 42 identified the vulnerability, tracked as CVE-2025-21042, which Samsung patched in April 2025. However, this was the first time details about the spyware’s widespread abuse have been revealed. Itay Cohen, a senior principal researcher at Unit 42, described the hacking campaign as a “precision attack,” indicating that it specifically targeted individuals rather than deploying mass malware.

The spyware shares digital infrastructure with a known surveillance vendor called Stealth Falcon, previously implicated in attacks against Emirati journalists and activists since 2012. While intriguing, Unit 42 cautioned that these connections do not definitively link the attacks to any government entity.

Moreover, the analysis revealed that samples of Landfall spyware were uploaded from various locations, including Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. Turkey’s national cyber readiness team, known as USOM, flagged one of the associated IP addresses as malicious, supporting the theory that Turkish individuals were among those targeted.

The spyware is capable of extensive surveillance, enabling attackers to tap into device microphones, track precise locations, and gather a wealth of personal data. The source code examined by researchers indicated that the spyware specifically targeted devices such as the Galaxy S22, S23, S24, and various Z models, with the potential vulnerability likely affecting other Galaxy devices running Android versions 13 to 15.

As this situation develops, the urgency for Samsung Galaxy users to secure their devices cannot be overstated. With the potential for ongoing attacks, users are advised to remain vigilant and update their software immediately.

Samsung has not yet responded to inquiries regarding this grave cybersecurity issue. As the investigation continues, more details are expected to emerge, underscoring the critical need for awareness and proactive measures among users worldwide.