The Samsung Galaxy Phones Targeted By The 'Landfall' Spyware - Connect2ConnectOnline November 11, 2025

Security researchers have found a vulnerability that was used to inject a new spyware called ‘Landfall’ into Samsung Galaxy phones during a hacking campaign that lasted several months, likely aimed at victims in the Middle East.

According to researchers at Unit 42, which is supported by the cybersecurity firm Palo Alto Networks, the attackers took advantage of a security flaw in the Android OS to install the spyware and compromise Galaxy smartphones.

This was a zero-day attack, meaning Samsung was unaware of the vulnerability at that time.

Landfall Spyware

Landfall is a zero-click spyware. This indicates that the spyware could be delivered to target phones without any action needed from the victims.

Just sending a maliciously crafted image to a victim’s phone, probably through a messaging app, could lead to the device being infected by Landfall.

The source code of the spyware identified five Galaxy models as potential targets: the Samsung Galaxy S22, S23, S24, and some Z models.

The researchers also discovered the Android security flaw in other Galaxy devices, noting that devices running Android versions 13 to 15 might also be at risk.

In response, samsung fixed the security flaw that was exploited to deploy the spyware in April of this year.

However, Landfall was first identified in July of last year, and the campaign had been active since mid-2024.

Landfall remained active and undetected for months.

The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated incident but part of a larger trend of similar problems found across multiple mobile platforms.

Who Created It?

Landfall can perform extensive surveillance on its victims by collecting on-device data like photos, contacts, and call logs, in addition to accessing the device’s microphone and tracking its exact location.

The spyware is delivered through malformed DNG image files that exploit CVE-2025-21042 – a serious zero-day vulnerability in Samsung’s image processing library, which has been exploited in the wild.

The exact spyware vendor behind Landfall remains unknown.

Landfall was hosted on digital infrastructure similar to a well-known spyware vendor called Stealth Falcon.

Other specifics, like the total number of individuals potentially targeted in this campaign, are still unclear.

For those with Samsung Galaxy S25 Plus and Galaxy S25 Ultra, turning off fast charging might help resolve the issue.

The spyware wasn’t spread out like typical malware. Instead, the attackers executed a “precision attack” targeting specific individuals.

Researchers didn’t have enough proof to definitively say that a government client of Landfall was behind the hacking operation.