- By Prateek Levi
- Mon, 10 Nov 2025 04:52 AM (IST)
- Source:JND
For almost a year, Samsung Galaxy users unknowingly fell victim to a silent and highly sophisticated hacking campaign. Security experts at Palo Alto Networks' Unit 42 have now revealed the operation, codenamed Landfall, which exploited a zero-day vulnerability in Samsung's Android software from July 2024 up to April 2025.
The attack did not require any user interaction. Researchers said the spyware was delivered via a malicious image – most likely sent through a chat app – capable of infecting a phone the instant it was received. Victims didn't need to open or tap anything; it was a textbook "zero-click" exploit.
ALSO READ: Google Maps India Gets Gemini AI Integration: Smarter, Safer, And More Localised Navigation
The vulnerability, CVE-2025-21042, gave attackers the power to take control of the device and steal personal information. Once inside, the spyware accessed photos, messages, contacts, call logs, and precise locations and could even activate the microphone for live audio recording.
Researchers say the attack is specifically aimed at flagship models from Samsung: the Galaxy S22, S23, and S24, along with several Galaxy Z series devices running Android versions 13 to 15.
Although Samsung quietly patched the flaw back in April 2025, it wasn't until now that the true scope and intent of the campaign have come into sharp focus. Unit 42's findings reveal that Landfall was not a broad malware outbreak but a focused espionage effort aimed at select individuals.
There are indications of activity in parts of the Middle East, with samples uploaded from Morocco, Iran, Iraq, and Turkey. In fact, Turkey's cybersecurity agency, earlier this year, flagged one of the servers linked to the spyware as malicious.
Researchers also found technical connections between Landfall and known surveillance outfit Stealth Falcon, a group previously linked to operations against journalists and activists. However, they stopped short of attributing the campaign to any government or organisation because of insufficient proof.
Samsung has so far made no comment on the report. For now, experts are encouraging Galaxy users running Android 13, 14, or 15 to confirm their devices are updated with the April 2025 security patch or later to ensure protection from the exploit.