US issues warning over spyware attacks targeting WhatsApp and Signal
What's the story
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about state-sponsored hackers and cyber mercenaries using commercial spyware to compromise Signal and WhatsApp accounts. The agency said these attackers hijack devices and access private information of "high-value" users. The warning was issued in an alert published on Monday.
Attack methods
Attackers employ various techniques to compromise messaging apps
CISA revealed that the attackers are using a combination of phishing, fake QR codes, malicious app impersonation, and even zero-click exploits to compromise seemingly secure messaging apps. The agency noted that these activities indicate a growing interest in "high-value" individuals such as current and former senior government officials, military personnel, political leaders, and civil society groups across the US, Middle East, and Europe.
Spyware delivery
Attackers use sophisticated techniques to deliver spyware
"CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications," the agency said. It added these cyber actors use advanced targeting and social engineering techniques to deliver spyware. This gives them unauthorized access to a victim's messaging app, allowing them to deploy additional malicious payloads that can further compromise the victim's mobile device.
Bypassing encryption
Attackers bypass encryption by spoofing apps, abusing account features
The CISA bulletin shows attackers bypassing encryption by spoofing apps, abusing account features, and exploiting phones. For instance, Google's Threat Intelligence Group had revealed in February how several Russia-aligned groups such as Sandworm and Turla tried to snoop on Signal users by abusing the app's "linked devices" feature. By tricking victims into scanning a tampered QR code, these operators were able to add an attacker-controlled device to the account.
Spyware delivery
Commercial-grade spyware delivered to Samsung Galaxy devices
CISA also highlighted a separate Android exploitation campaign led by Palo Alto Networks's Unit 42. In this case, commercial-grade spyware called LANDFALL was delivered to Samsung Galaxy devices. The campaign combined a Samsung vulnerability with a zero-click WhatsApp exploit, letting operators slip a malicious image into a target's inbox and compromise the device upon receipt.
App impersonation
Attackers impersonate popular apps to compromise devices
Not all attacks relied on exploits. Some campaigns, including ProSpy and ToSpy, made headway by impersonating popular apps such as Signal and TikTok. Once these malicious versions were installed on a device, they could access chat data, recordings, and files. Meanwhile, researchers at Zimperium discovered ClayRat—an Android spyware family seeded across Russia via fake Telegram channels and phishing sites posing as WhatsApp, TikTok, YouTube. To reduce spyware risk, avoid unknown links and downloads, even in chat apps.