Zero-Day Spyware Exploits Landfall Vulnerability to Hack Samsung Galaxy Phones

Unit 42 disclosed that the flaw was exploited by sending a specially crafted image to the victim’s device, likely through a messaging app. Samsung promptly addressed the security issue, known as CVE-2025-21042, in April 2025. However, the specifics of the spyware campaign leveraging this flaw had not been previously disclosed.

The researchers highlighted in a blog post that the origins of the Landfall spyware and the scope of the campaign remain unknown. While it targeted individuals in the Middle East, the surveillance vendor behind it has not been identified. Itay Cohen, a senior researcher at Unit 42, described the attack as a targeted espionage operation rather than a widespread malware distribution.

Notably, Unit 42 linked the Landfall spyware to digital infrastructure associated with a surveillance vendor called Stealth Falcon, known for targeting Emirati journalists and activists since 2012. However, these connections were insufficient to definitively attribute the attacks to a specific government entity.

Analysis by Unit 42 revealed that the Landfall spyware samples were uploaded to VirusTotal from various locations, including Morocco, Iran, Iraq, and Turkey. The Turkish national cyber readiness team, USOM, identified one of the malicious IP addresses linked to the spyware, suggesting potential targeting in Turkey.

Similar to other government-grade spyware, Landfall possesses extensive surveillance capabilities, such as accessing sensitive data, intercepting communications, and tracking the victim’s location. The spyware’s source code referenced specific Galaxy models, indicating potential compatibility with other devices and Android versions.

Despite these findings, Samsung has not provided a comment on the matter.