Landfall Spyware Exploited Zero-Day Vulnerability to Hack Samsung Smartphones

The Unit 42 cybersecurity team from Palo Alto Networks discovered a dangerous spyware called Landfall, which exploited a zero-day vulnerability in Samsung Galaxy smartphones. The hacking campaign lasted almost a year, starting in July 2024, and went unnoticed until April 2025.

What is known

The attack was carried out by sending a specially crafted image, most likely via a messaging app. Device infection occurred without user intervention — it was enough just to receive the image. The vulnerability was assigned the code CVE-2025-21042 and affected Android versions 13–15.

According to Itai Cohen from Unit 42, Landfall was used in "pinpoint attacks" against individuals, presumably for political espionage. Most cases were recorded in Morocco, Iran, Iraq, and Turkey. The Turkish cyber team USOM confirmed the presence of suspicious IP addresses connected to Landfall.

Researchers found that Landfall's infrastructure has similarities with the known spyware provider Stealth Falcon, which previously attacked journalists and activists in the Middle East. However, there is currently no clear evidence of the involvement of a specific government structure.

Landfall targeted devices like the Galaxy S22, S23, S24, as well as certain models of the Fold and Flip series. The software had full access to the device: photos, contacts, calls, messages, microphone, and geolocation.

Source: Palo Alto Networks Unit 42