Hacked Samsung Galaxies for Months, Morocco Affected

According to researchers from Palo Alto Networks Unit 42, the spyware, dubbed "Landfall", was first detected in July 2024. It was based on a "zero-day" vulnerability, meaning a flaw unknown to Samsung at the time. The infection could occur without any action from the victim, simply by receiving a booby-trapped image, likely via a messaging app.

Samsung patched this vulnerability, now identified as CVE-2025-21042, in April 2025. However, the details of the espionage campaign had not been revealed until now. The spyware was capable of full surveillance, including access to photos, messages, contacts, microphone recording, and location tracking.

A "Precision Attack" Linked to Stealth Falcon

Researchers believe this was a "precision attack" targeting specific individuals, likely for espionage purposes, and not a mass attack. Although the perpetrator of the attack is not formally identified, the investigation revealed that "Landfall" shared digital infrastructure with Stealth Falcon, a surveillance provider known to have targeted journalists and activists in the United Arab Emirates in the past.

Samples of the spyware were uploaded to the VirusTotal service from Morocco, Iran, Iraq, and Turkey throughout 2024 and early 2025. The malware’s source code specifically referenced recent models such as the Galaxy S22, S23, S24, and some Z models, but the vulnerability could affect other Android 13 to 15 devices.