CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps).1 These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.
These cyber actors use tactics such as:
- Phishing and malicious device-linking QR codes to compromise victim accounts and link them to actor-controlled devices.
- Zero-click exploits,2 which require no direct action from the device user.
- Impersonation3 of messaging app platforms, such as Signal and WhatsApp.
While current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals, such as current and former high-ranking government, military, and political officials,4 as well as civil society organizations (CSOs) and individuals across the United States,5 Middle East,6 and Europe.7
CISA strongly encourages messaging app users to review the updated Mobile Communications Best Practice Guidance and Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society for steps to protect mobile communications and messaging apps, as well as mitigations against spyware.
Notes
1 Dan Black, “Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger,” Google Threat Intelligence (blog), Google, last updated February 19, 2025, https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/.
2 Unit 42, “LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices,” Threat Research (blog), Unit 42, Palo Alto Networks, last updated November 7, 2025, https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/; and Ravie Lakshmanan, “WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices,” The Hacker News, August 30, 2025, https://thehackernews.com/2025/08/whatsapp-issues-emergency-update-for.html.
3 Vishnu Pratapagiri, “ClayRat: A New Android Spyware Targeting Russia,” Zimperium (blog), Zimperium, October 9, 2025, https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia; Bill Toulas, “Android Spyware Campaigns Impersonate Signal and ToTok Messengers,” Bleeping Computer, October 2, 2025, https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-impersonate-signal-and-totok-messengers/; and Pierluigi Paganini, “ClayRat Campaign Uses Telegram and Phishing Sites to Distribute Android Spyware,” Security Affairs, October 9, 2025, https://securityaffairs.com/183169/malware/clayrat-campaign-uses-telegram-and-phishing-sites-to-distribute-android-spyware.html.
4 Courtney Rozen, “WhatsApp Banned on US House of Representatives Devices, Memo Shows,” Reuters, June 23, 2025, https://www.reuters.com/world/us/whatsapp-banned-us-house-representatives-devices-memo-2025-06-23/; and Andrew Solender, “WhatsApp Banned on House Staffers’ Devices,” Axios, June 23, 2025, https://www.axios.com/2025/06/23/whatsapp-house-congress-staffers-messaging-app.
5 Suzanne Smalley, “Judge Bars NSO from Targeting WhatsApp Users with Spyware, Reduces Damages in Landmark Case.” The Record, October 20, 2025, https://therecord.media/judge-bars-nso-from-targeting-whatsapp-users-lowers-damages.
6 Suzanne Smalley, “Researchers Uncover Spyware Targeting Messaging App Users in the UAE,” The Record, October 2, 2025, https://therecord.media/researchers-spyware-uae-infections.
7 Paganini, “ClayRat Campaign Uses Telegram and Phishing Sites to Distribute Android Spyware.”