For almost a year, a powerful spyware quietly targeted Samsung Galaxy smartphones without users realizing it. Security researchers at Palo Alto Networks’ Unit 42 have now revealed that the spyware, called “Landfall,” was part of a highly sophisticated hacking campaign that began in July 2024 and continued until April 2025, according to a report by TechCrunch.
The attackers behind Landfall found a way to break into Galaxy phones using a zero-day vulnerability — a security flaw that even Samsung didn’t know existed at the time. All it took was a single image, carefully designed to exploit the flaw, sent through a messaging app. Once delivered, the spyware could silently infect the phone — no clicks, no downloads, no warning signs.
Samsung eventually fixed the flaw, now listed as CVE-2025-21042, in an April 2025 software update. But by then, the hackers had already been active for months, secretly watching and listening through the targeted phones.
Researchers say it’s still unclear who built or deployed Landfall, but the signs point to a state-backed surveillance operation. It wasn’t random — only certain individuals were targeted, mostly in the Middle East. Unit 42 believes these were “precision attacks,” likely aimed at journalists, activists, or political figures.
Interestingly, the digital trail left behind by Landfall overlaps with that of Stealth Falcon, a known surveillance group accused of spying on Emirati dissidents and journalists since 2012. While the connection is not confirmed, the similarities suggest a shared origin or cooperation between the two.
Data uploaded to VirusTotal, a malware analysis platform, showed that infected devices came from Morocco, Iran, Iraq, and Turkey. Turkey’s national cyber team even flagged one of Landfall’s communication servers as malicious, suggesting the spyware may have actively targeted users in the country.
Once installed, Landfall could do nearly anything — access messages, photos, call logs, and contacts, or even turn on the microphone and track the phone’s location. Researchers found code that specifically mentioned Galaxy models like the S22, S23, S24, and some Z Fold and Flip devices, all running Android 13 through 15.
Samsung has not commented on the discovery. But the revelation highlights a worrying reality: even the world’s most popular phones can become silent instruments of surveillance — and users might never know until long after the attack has ended.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
