A sophisticated Android spyware called 'Landfall' exploited a previously unknown Samsung Galaxy vulnerability for nearly a year, targeting individuals across the Middle East in what researchers describe as a precision espionage campaign. The zero-day attack required no user interaction and could be triggered by simply receiving a malicious image through messaging apps.
Samsung Galaxy users were unknowingly caught in the crosshairs of a sophisticated spyware operation that flew under the radar for almost an entire year. Security researchers at Palo Alto Networks Unit 42 have exclusively revealed to TechCrunch that a previously unknown Android spyware dubbed 'Landfall' successfully exploited a zero-day vulnerability in Galaxy devices from July 2024 through early 2025.
The attack method was particularly insidious - victims could be compromised simply by receiving a weaponized image through messaging apps, with no interaction required on their part. 'This was a precision attack on specific individuals, not mass-distributed malware,' Itay Cohen, senior principal researcher at Unit 42, told TechCrunch. The targeted nature strongly suggests espionage motivations rather than cybercriminal profit.
Samsung patched the security flaw - officially tracked as CVE-2025-21042 - in April 2025, but the company hasn't responded to requests for comment about the scope of the breach. The vulnerability affected Android versions 13 through 15, with the spyware's source code specifically referencing Galaxy S22, S23, S24, and Z-series models as targets.
The geographic footprint tells a compelling story about the campaign's likely objectives. Unit 42 discovered Landfall samples were uploaded to VirusTotal, a malware scanning service, from users in Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. Turkey's national cyber readiness team USOM even flagged one of the spyware's command-and-control IP addresses as malicious, lending credence to the theory that Turkish individuals were among the targets.
What makes this discovery particularly significant is Landfall's apparent connection to the surveillance ecosystem. The spyware shares digital infrastructure with Stealth Falcon, a known surveillance vendor that has targeted Emirati journalists, activists, and dissidents since 2012. While Unit 42 researchers note the links are 'intriguing,' they stopped short of definitively attributing the attacks to any specific government customer.
Landfall's capabilities mirror those of other state-sponsored spyware tools, offering attackers comprehensive device access. Once installed, it can harvest photos, messages, contacts, and call logs while simultaneously activating the device's microphone and tracking the victim's precise location. This level of surveillance functionality is consistent with tools used by nation-state actors rather than run-of-the-mill cybercriminals.
