Safety researchers have found an Android adware that focused Samsung Galaxy telephones throughout a virtually year-long hacking marketing campaign.
Researchers at Palo Alto Networks’ Unit 42 stated the adware, which they name “Landfall,” was first detected in July 2024 and relied on exploiting a security flaw within the Galaxy telephone software program that was unknown to Samsung on the time, a kind of vulnerability referred to as a zero-day.
Unit 42 stated the flaw could possibly be abused by sending a maliciously crafted picture to a sufferer’s telephone, possible delivered by means of a messaging app, and that the assaults might not have required any interplay from the sufferer.
Samsung patched the security flaw — tracked as CVE-2025-21042 — in April 2025, however particulars of the adware marketing campaign abusing the flaw haven’t been beforehand reported.
The researchers stated it’s not recognized which surveillance vendor developed the Landfall adware, neither is it recognized what number of people have been focused as a part of the marketing campaign. However the researchers stated that the assaults possible focused people within the Center East.
Itay Cohen, a senior principal researcher at Unit 42, instructed information.killnetswitch that the hacking marketing campaign consisted of a “precision assault” on particular people and never a mass-distributed malware, which signifies that the assaults have been possible pushed by espionage.
Unit 42 discovered that the Landfall adware shares overlapping digital infrastructure utilized by a recognized surveillance vendor dubbed Stealth Falcon, which has been beforehand seen in adware assaults in opposition to Emirati journalists, activists, and dissidents way back to 2012. However the researchers stated that the hyperlinks with Stealth Falcon, whereas intriguing, weren’t sufficient to obviously attribute the assaults to a selected authorities buyer.
Unit 42 stated that the Landfall adware samples that they found had been uploaded to VirusTotal, a malware scanning service, from people in Morocco, Iran, Iraq, and Turkey all through 2024 and early 2025.
Turkey’s nationwide cyber readiness group, referred to as USOM, flagged one of many IP addresses that the Landfall adware related to as malicious, which Unit 42 stated helps the idea that people in Turkey might have been focused.
Very like different authorities adware, Landfall is able to broad machine surveillance, akin to accessing the sufferer’s knowledge, together with images, messages, contacts and name logs, in addition to the tapping of the machine’s microphone and monitoring their exact location.
Unit 42 discovered that the adware’s supply code referenced 5 particular Galaxy telephones, together with the Galaxy S22, S23, S24, and a few Z fashions, as targets. Cohen stated that the vulnerability might have additionally been current on different Galaxy gadgets, and affected Android variations 13 by means of 15.
Samsung didn’t reply to a request for remark.
