Content
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about increasing spyware attacks targeting users of popular encrypted messaging applications such as Signal, WhatsApp, and Telegram. These attacks are primarily carried out by cybercriminals and state-backed hacking groups who do not attempt to break the apps’ end-to-end encryption directly. Instead, they focus on compromising the devices themselves to gain access to messages and other sensitive data stored on the phones.
According to CISA’s recent advisory, attackers employ a variety of sophisticated techniques to infiltrate victims’ smartphones. One common method involves tricking users into scanning fraudulent QR codes that link their messaging accounts to devices controlled by hackers. Another approach is the use of seemingly legitimate app updates that in reality install spyware. The most advanced attacks exploit so-called "zero-click" vulnerabilities, which allow hackers to infect a device simply by sending specially crafted malformed images or files, with no user interaction required.
Although end-to-end encryption effectively secures communications during transmission, it offers little protection once messages reach the device. Once decrypted on the phone, messages can be accessed by attackers who have compromised the system. In addition to messages, hackers can also retrieve files, photos, contacts, call history, and location data from infected devices. CISA notes that these attacks tend to focus on "high-value" targets such as individuals involved in politics, government, and military affairs, but other organizations and individuals across the United States, the Middle East, and Europe have also been affected.
Many of these intrusions leverage commercial spyware, which is often employed by various cyber threat actors. CISA highlights that these groups use advanced social engineering and targeting methods to deploy spyware and gain unauthorized access to mobile messaging applications. This access often enables further malicious payloads to be installed, deepening the compromise of the victim's device.
Recent research underscores the scope of the threat. For example, Palo Alto Networks researchers disclosed details about a commercial-grade spyware named Landfall that exploited a vulnerability in Samsung’s Android image processing library. This critical security flaw was patched by Samsung in April 2025, but not before attackers used it to deliver malicious payloads automatically via malformed images sent through messaging apps like WhatsApp. This exploit allowed attackers to spy on victims’ locations, photos, call logs, messages, and even activate microphones.
Additionally, in February 2025, Google threat researchers reported on Russian-linked hacking groups targeting Signal users. These groups deceived users into linking their Signal accounts with attacker-controlled devices, enabling real-time interception of messages without needing to fully compromise the smartphones.
CISA strongly advises users to protect their devices by keeping operating systems and applications up to date with the latest security patches. Users should avoid installing apps from unofficial sources or clicking on links received through messages, even if they appear to come from trusted contacts, whose accounts may have already been compromised. These measures are vital to reducing the risk of spyware infections and safeguarding sensitive communications and personal data.
