Much like other government spyware, Landfall is capable of broad device surveillance, such as accessing the victim’s data, including photos, messages, contacts, and call logs, as well as the tapping of the device’s microphone and tracking their precise location.
Unit 42 found that the spyware’s source code referenced five specific Galaxy phones, including the Galaxy S22, S23, S24, and some Z models, as targets. Cohen said that the vulnerability may have also been present on other Galaxy devices, and affected Android versions 13 through 15.
2 Likes
Ars also has a great article on this with more technical detail:
Like Pegasus it uses the initial vector of a malicious image sent via messaging app. However, unlike Pegasus it appears to be persistent and able to survive restarts:
Removing the spyware is no easy feat, either. Because of its ability to manipulate SELinux policies, it can burrow deeply into the system software. It also includes several tools that help evade detection. Based on the VirusTotal submissions, Unit 42 believes Landfall was active in 2024 and early 2025 in Iraq, Iran, Turkey, and Morocco. The vulnerability may have been present in Samsung’s software from Android 13 through Android 15, the company suggests.
Given the targeted countries and sophisticated nature of this spyware I would bet it came from an Israeli spyware company.