Why mobile messaging users are under attack
Apps like Signal and WhatsApp are increasingly targeted by commercial spyware operators and remote access trojans (RATs). According to CISA, attackers are exploiting social engineering, spoofed apps, device-linking tricks, and even zero-click exploits to compromise accounts and implant persistent spyware, putting sensitive communications at risk.
Key takeaways at a glance
- Multiple threat actors are exploiting messaging apps to deliver spyware and RATs.
- Common tactics include device-linking QR codes, spoofed apps, zero-click exploit chains, and malicious installs.
- Primary targets are high-value individuals: current or former officials, activists, journalists, and civil society members.
Examples of recent campaigns
Real campaigns highlight the evolving threat: zero-click exploits in WhatsApp targeting iOS, Android spyware families like LANDFALL exploiting Samsung image-processing flaws, and phishing or impersonation campaigns (ProSpy, ToSpy, ClayRat) that trick users into installing malicious apps.
Why encryption isn’t enough to stay safe
End-to-end encryption secures messages in transit, but attackers increasingly target devices and account sync mechanisms to access messages after delivery. This makes hardening endpoints, auditing linked sessions, and using phishing-resistant authentication more critical than ever.
Looking ahead — two trends to watch
Device linking will get tougher
Convenience features like multi-device linking expand the attack surface. Messaging vendors will need to balance usability with stronger authentication, such as cryptographic device attestations, to restore trust.
Commercial spyware changes organizational priorities
Spyware-as-a-service lowers the barrier for targeted espionage. Organizations must focus on operational controls — patching cadence, hardware lifecycle management, and authentication policies — instead of relying solely on endpoint detection.
Practical steps from CISA — a short checklist
- Use end-to-end encrypted apps and regularly audit linked devices.
- Enable FIDO / passkeys and avoid SMS-based MFA.
- Install updates promptly and prefer hardware with strong security support.
- For iOS: enable Lockdown Mode and restrict sensitive app permissions. For Android: use Google Play Protect, Enhanced Safe Browsing, and audit app permissions.
The bottom line
Commercial spyware campaigns hijacking messaging apps are active and targeted. Technical patches combined with immediate operational steps — FIDO authentication, device audits, forced updates — are the most effective defenses available today. These controls are especially urgent for high-value users and teams handling sensitive information.
