Safety researchers have found an Android spy ware that focused Samsung Galaxy telephones throughout a virtually year-long hacking marketing campaign.
Researchers at Palo Alto Networks’ Unit 42 stated the spy ware, which they name “Landfall,” was first detected in July 2024 and relied on exploiting a safety flaw within the Galaxy cellphone software program that was unknown to Samsung on the time, a sort of vulnerability often called a zero-day.
Unit 42 stated the flaw may very well be abused by sending a maliciously crafted picture to a sufferer’s cellphone, seemingly delivered by a messaging app, and that the assaults could not have required any interplay from the sufferer.
Samsung patched the safety flaw — tracked as CVE-2025-21042 — in April 2025, however particulars of the spy ware marketing campaign abusing the flaw haven’t been beforehand reported.
The researchers stated it’s not identified which surveillance vendor developed the Landfall spy ware, neither is it identified what number of people have been focused as a part of the marketing campaign. However the researchers stated that the assaults seemingly focused people within the Center East.
Itay Cohen, a senior principal researcher at Unit 42, instructed TechCrunch that the hacking marketing campaign consisted of a “precision assault” on particular people and never a mass-distributed malware, which signifies that the assaults have been seemingly pushed by espionage.
Unit 42 discovered that the Landfall spy ware shares overlapping digital infrastructure utilized by a identified surveillance vendor dubbed Stealth Falcon, which has been beforehand seen in spy ware assaults towards Emirati journalists, activists, and dissidents way back to 2012. However the researchers stated that the hyperlinks with Stealth Falcon, whereas intriguing, weren’t sufficient to obviously attribute the assaults to a specific authorities buyer.
Unit 42 stated that the Landfall spy ware samples that they found had been uploaded to VirusTotal, a malware scanning service, from people in Morocco, Iran, Iraq, and Turkey all through 2024 and early 2025.
Turkey’s nationwide cyber readiness staff, often called USOM, flagged one of many IP addresses that the Landfall spy ware related to as malicious, which Unit 42 stated helps the idea that people in Turkey could have been focused.
Very like different authorities spy ware, Landfall is able to broad system surveillance, equivalent to accessing the sufferer’s knowledge, together with pictures, messages, contacts and name logs, in addition to the tapping of the system’s microphone and monitoring their exact location.
Unit 42 discovered that the spy ware’s supply code referenced 5 particular Galaxy telephones, together with the Galaxy S22, S23, S24, and a few Z fashions, as targets. Cohen stated that the vulnerability could have additionally been current on different Galaxy units, and affected Android variations 13 by 15.
Samsung didn’t reply to a request for remark.
{content material}
Supply: {feed_title}