Photo by appshunter.io on Unsplash
A new Android spyware dubbed “Landfall” quietly hacked into Samsung Galaxy phones for nearly a year — and hardly anyone noticed. Researchers at Palo Alto Networks’ Unit 42 say this wasn’t some random, spray-and-pray malware. It was a targeted operation, likely for espionage, and it quietly slipped past Samsung’s radar until very recently.
Let’s break down the who, what, and how of this spyware campaign.
What exactly was Landfall?
Photo by Kelly Sikkema on Unsplash
Landfall is a piece of Android spyware that took advantage of a so-called “zero-day” vulnerability. That’s tech-speak for a bug in the system that no one — including the manufacturer — knows about yet. The attackers found a flaw in Samsung Galaxy software and used it to secretly infect phones with spyware.
The kicker? Victims didn’t even need to tap on anything. All it took was a malicious image, probably delivered through a messaging app. Once that image landed on the device, the spyware got to work — without a single click.
The campaign quietly ran from July 2024 to April 2025
Landfall was first detected by Unit 42 in mid-2024. Samsung didn’t patch the flaw (now known as CVE-2025-21042) until April 2025. That means attackers had a clear window of nearly a year to spy on targets.
What kind of surveillance are we talking about?
- Access to photos, texts, and contacts
- Eavesdropping through the phone’s mic
- Tracking the user’s precise location
- Viewing call logs and likely more
Think of it as someone having all your phone’s secrets in their pocket.
Who was targeted?
Photo by Glen Carrie on Unsplash
So far, no one knows for sure how many people were hit by Landfall. But this wasn’t malware aimed at everyone. It was a “precision attack,” according to Itay Cohen, a senior researcher at Unit 42. That means hackers went after specific people — not random users.
Clues point toward targets in the Middle East. Malware samples showed up on the malware scanning service VirusTotal from users in Morocco, Iran, Iraq, and Turkey during 2024 and early 2025.
Turkey’s national cyber response team, called USOM, even flagged one of Landfall’s command and control servers as malicious — backing up theories that Turkish users may have been part of the target group.
Who’s behind this?
Now here’s where things get murky. The researchers haven’t definitively linked Landfall to any group. But they did notice some overlap in the digital infrastructure with a known surveillance operation called Stealth Falcon.
What’s that? Stealth Falcon has a history of spying on journalists and dissidents in the UAE going back to 2012. That’s significant, but Unit 42 was careful to say it’s not enough evidence to say, “Yes, this group made Landfall.”
Bottom line: Someone with resources and motives picked these targets very carefully.
Which Samsung models were vulnerable?
Photo by Marios Gkortsilas on Unsplash
Unit 42 found that Landfall’s code specifically referenced the Galaxy S22, S23, S24, and some Z models — foldables, perhaps. The vulnerability appeared to affect Android versions 13 through 15, so the net was fairly wide.
Samsung has since patched the bug, but they haven’t commented publicly yet.
Why this matters
If you own a Samsung Galaxy device, it’s a reminder to keep your software updated. Security patches might not seem exciting, but they’re literally the wall keeping hackers out.
What makes Landfall especially troubling is how stealthy and effective it was. No clicks. No visible signs. Just a silent image slipping through your messenger app and turning your phone into a surveillance tool.
For now, the campaign seems to be over. But the lesson here is clear: even your most personal device can be turned against you — especially when sophisticated spyware is in play.
Stay curious. Stay updated. Stay safe.
— Written for Yugto.io, where we connect the dots between tech, data, and the real world.
Keywords: spyware, Samsung Galaxy, zero-day vulnerability, Landfall, cyber espionage, mobile security, Android
