Safety researchers have found an Android adware that focused Samsung Galaxy telephones throughout a virtually year-long hacking marketing campaign.
Researchers at Palo Alto Networks’ Unit 42 stated the adware, which they name “Landfall,” was first detected in July 2024 and relied on exploiting a safety flaw within the Galaxy telephone software program that was unknown to Samsung on the time, a sort of vulnerability referred to as a zero-day.
Unit 42 stated the flaw could possibly be abused by sending a maliciously crafted picture to a sufferer’s telephone, possible delivered by way of a messaging app, and that the assaults might not have required any interplay from the sufferer.
Samsung patched the safety flaw — tracked as CVE-2025-21042 — in April 2025, however particulars of the adware marketing campaign abusing the flaw haven’t been beforehand reported.
The researchers stated it’s not identified which surveillance vendor developed the Landfall adware, neither is it identified what number of people had been focused as a part of the marketing campaign. However the researchers stated that the assaults possible focused people within the Center East.
Itay Cohen, a senior principal researcher at Unit 42, advised TechCrunch that the hacking marketing campaign consisted of a “precision assault” on particular people and never a mass-distributed malware, which signifies that the assaults had been possible pushed by espionage.
Unit 42 discovered that the Landfall adware shares overlapping digital infrastructure utilized by a identified surveillance vendor dubbed Stealth Falcon, which has been beforehand seen in adware assaults in opposition to Emirati journalists, activists, and dissidents way back to 2012. However the researchers stated that the hyperlinks with Stealth Falcon, whereas intriguing, weren’t sufficient to obviously attribute the assaults to a selected authorities buyer.
Unit 42 stated that the Landfall adware samples that they found had been uploaded to VirusTotal, a malware scanning service, from people in Morocco, Iran, Iraq, and Turkey all through 2024 and early 2025.
Turkey’s nationwide cyber readiness workforce, referred to as USOM, flagged one of many IP addresses that the Landfall adware linked to as malicious, which Unit 42 stated helps the speculation that people in Turkey might have been focused.
Very like different authorities adware, Landfall is able to broad gadget surveillance, resembling accessing the sufferer’s information, together with pictures, messages, contacts and name logs, in addition to the tapping of the gadget’s microphone and monitoring their exact location.
Unit 42 discovered that the adware’s supply code referenced 5 particular Galaxy telephones, together with the Galaxy S22, S23, S24, and a few Z fashions, as targets. Cohen stated that the vulnerability might have additionally been current on different Galaxy units, and affected Android variations 13 by way of 15.
Samsung didn’t reply to a request for remark.
