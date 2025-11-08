Samsung Galaxy users were unknowingly exposed to a months-long hacking campaign that silently targeted their phones and extracted sensitive data, all without a single tap. Security researchers at Palo Alto Networks’ Unit 42 have revealed a sophisticated Android spyware operation, dubbed “Landfall,” that exploited a zero-day flaw in Samsung’s software for nearly 10 months, from July 2024 to April 2025. Samsung eventually patched the flaw in April 2025, but until now, the scale and nature of the exploit had not been made public.

A zero-click hack delivered through an image

According to researchers, Landfall took advantage of a previously unknown vulnerability, CVE-2025-21042, allowing attackers to hijack a device simply by sending a specially crafted image, likely via a messaging app. The victim didn’t need to click anything for the hack to work, making it a classic “zero-click” attack.

Photos, chats, calls - everything was exposed

Once installed, the spyware could reportedly access a wide range of personal data, including:

• Photos

• Messages

• Contacts

• Call logs

• Precise location

• Device microphone for real-time audio

Researchers say the spyware targeted specific Samsung models, including Galaxy S22, S23, S24 and select Galaxy Z series devices. Android versions 13 through 15 are believed to have been affected.

Not a mass attack, a targeted espionage operation

Unit 42 emphasised that this wasn’t a widespread malware campaign but a precision attack aimed at selected individuals, likely for surveillance or intelligence gathering. Samples uploaded to VirusTotal came from Morocco, Iran, Iraq and Turkey, suggesting the campaign was focused on regions in the Middle East.

Turkey’s national cybersecurity agency even flagged one of the spyware’s servers as malicious, indicating active targeting within the country.

Unit 42 also found infrastructure overlaps with a known surveillance group called Stealth Falcon, previously linked to attacks on journalists and activists. However, the evidence was not strong enough to attribute the operation to any specific government.

Samsung yet to comment

Samsung has not issued a statement regarding the findings. Researchers also noted that it remains unclear who built the spyware and how many people were actually targeted.

Users with Galaxy devices running Android 13–15 are advised to ensure they have installed all April 2025 or later security updates.