CISA Warns of Surge in Spyware Attacks Targeting Signal and WhatsApp Users

The U.S. Federal Cybersecurity Agency has issued a warning about a surge in targeted attacks involving commercial surveillance tools and remote-access software. Threat actors have increasingly focused on users of popular messaging platforms, seeking to seize control of private conversations and broaden their monitoring of mobile devices. Concern over these campaigns has intensified as attackers employ ever more elaborate persuasion tactics and technical methods capable of circumventing built-in security protections.

According to the agency, several interconnected incidents have been uncovered this year. In one case, multiple groups attempted to compromise Signal accounts by exploiting the platform’s device-linking feature. In the UAE, investigators identified the ProSpy and ToSpy programs, which were distributed under the guise of legitimate apps and provided persistent access to Android phones.

Another tool, ClayRat, was spread through fake websites and Telegram channels while posing as WhatsApp, Google Photos, TikTok, or YouTube. Once installed, it immediately began harvesting data. A separate campaign targeted a small set of WhatsApp users and may have leveraged a combination of two vulnerabilities — one in iOS and another in the messenger itself. Yet another episode involved abusing a Samsung device flaw to deliver the LANDFALL spyware to smartphones across the Middle East.

The advisory notes that attackers are combining multiple infection vectors, including QR codes for device pairing, concealed delivery mechanisms for malicious attachments, and counterfeit versions of widely used apps. The overarching goal is to gain access to individuals whose data holds elevated value. Among those at risk are current and former government officials, military personnel, politicians, civil-society advocates, and other high-profile groups across the United States, Europe, and the Middle East.

The agency urges potential targets to reassess their approach to securing digital devices. Recommended measures include selectively using encrypted communication tools, enabling phishing-resistant forms of two-factor authentication, avoiding repeated SMS-based verification, employing reputable password managers, and enforcing stronger protections with mobile carriers.

Additional guidance includes regularly updating software, choosing modern smartphones, and scrutinizing the permissions granted to installed applications. For Apple devices, the advisory highlights Lockdown Mode and enhanced privacy features; for Android users, it recommends selecting manufacturers with robust security practices and enabling built-in monitoring and filtering mechanisms.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy