Summary
- Landfall spyware exploited a zero-day flaw in Galaxy cell phones, allowing invasion via malicious image in messaging apps.
- The attack, focused on the Middle East, targeted Galaxy S22, S23, S24 and Z line models, affecting users in countries such as Morocco, Iran, Iraq and Turkey.
- The CVE-2025-21042 vulnerability was patched in April 2025, and Landfall had similarities to attacks from the Stealth Falcon group.
Researchers from Palo Alto Networks revealed a digital espionage campaign that targeted Samsung’s Galaxy cell phones. The attack, which lasted almost a year, exploited a vulnerability previously unknown to the South Korean company – classifying it as a zero-day flaw.
Named Landfall, the spyware was discovered in July 2024 and took advantage of a loophole in Samsung’s Android. It allowed hackers to invade devices by sending a malicious image, usually shared through messaging applications, without the user having to take any action.
Who are those affected?
According to the report from Unit 42, the cybersecurity division of Palo Alto Networks, the spyware had a limited range and targeted specific targets – which suggests an espionage operation, not mass dissemination. Evidence suggests that the victims were concentrated in the Middle East, including users in countries such as Morocco, Iran, Iraq and Turkey.
One of the IP addresses associated with the malware was even classified as malicious by Turkey’s national cyber response team (USOM), reinforcing the hypothesis that Turkish citizens were among the targets. The vulnerability used, registered as CVE-2025-21042, was patched by Samsung in April 2025 — months after the attacks began.
Senior researcher Itay Cohen, from Unit 42, explained that the case “was a precision attack against specific individuals”, and not a large-scale malware dissemination campaign.
What did the spyware do?
Landfall had broad access to data from compromised devices, being able to extract photos, messages, contacts and call logs, in addition to activating the microphone and tracking the victims’ location.
Code analysis revealed that the malware specifically cited models such as the Galaxy S22, S23, S24 and some from the Z line, although experts believe that other devices with Android 13 to 15 were also affected.
The report also identified similarities between the digital infrastructure used by Landfall and that of a group known as Stealth Falcon, linked to previous attacks against journalists and activists in the United Arab Emirates. Still, researchers say there is not enough evidence to attribute the case to a specific government or surveillance provider.
Source: https://tecnoblog.net/noticias/app-espiao-atinge-celulares-galaxy-a-partir-de-falha-desconhecida/
