The U.S. Cybersecurity and Infrastructure Security Agency has issued a critical alert warning that advanced spyware campaigns are actively hijacking user accounts on major messaging platforms. According to CISA, commercial spyware and remote access tools are being deployed against users of Signal and WhatsApp through a combination of malicious device linking, impersonation attacks, and high level exploit chains.
CISA stated that the threat actors behind these campaigns use targeted phishing, fraudulent QR codes, zero click exploits, and spoofed versions of legitimate applications to take control of messaging accounts. Once access is gained, attackers can deliver additional spyware that allows deeper compromise of the victim’s mobile device. The agency emphasized that these operations are ongoing and remain a significant threat to high value individuals.
Targeting high value individuals
The alert notes that attackers are not focused on ordinary users. Instead, evidence shows a coordinated effort to compromise individuals who hold politically or strategically sensitive roles. The targeted groups include current and former government officials, military officers, political figures, journalists, and members of civil society organizations across the United States, Europe, and the Middle East. Many of these individuals rely on mobile messaging for both personal and professional communication, which makes account takeover an efficient path for surveillance.
How attackers are hijacking accounts
Several documented campaigns involve abuse of built in features. One operation linked to Russia aligned threat actors takes advantage of Signal’s linked devices feature. Victims are tricked into scanning malicious QR codes or visiting fake login pages, allowing attackers to add unauthorized devices to the victim’s account. Once linked, the added device can read and send messages without raising immediate suspicion.
CISA also highlighted Android spyware campaigns known as ProSpy and ToSpy. These operations impersonate encrypted messaging apps and are distributed through fraudulent download pages. Users in regions such as the United Arab Emirates have been targeted with these modified applications, which establish persistent access to the device and exfiltrate sensitive information.
A separate campaign called ClayRat uses Telegram channels and deceptive download sites to push trojanized versions of WhatsApp, Google Photos, TikTok, and YouTube. These versions steal data while appearing to function normally. Researchers also reported a limited but sophisticated operation that chained vulnerabilities in iOS and WhatsApp to compromise fewer than two hundred users worldwide. In another case, attackers exploited a Samsung flaw to deliver commercial grade Android spyware known as LANDFALL to Galaxy devices in the Middle East.
Growing concerns over mobile spyware
CISA warned that these techniques give attackers direct access to private communications, authentication data, and files stored on the device. Once inside messaging apps, threat actors can observe conversations, capture screenshots, deploy secondary payloads, and potentially move laterally into other connected accounts. Many of the campaigns rely on social engineering, which remains effective even against technically aware users.
Recommended protections for at risk users
To reduce the risk of compromise, CISA advises high value individuals to adopt stronger mobile security practices. The recommended actions include:
- Use end to end encrypted messaging platforms.
- Enable FIDO based phishing resistant authentication when available.
- Avoid SMS based multi factor authentication.
- Store credentials in a reputable password manager.
- Set a carrier level PIN to prevent unauthorized account changes.
- Regularly update device software.
- Use the latest hardware models provided by device manufacturers.
Apple users are encouraged to enable Lockdown Mode, use iCloud Private Relay, and restrict app permissions. Android users should rely on manufacturers with strong security track records, use RCS only when end to end encryption is active, enable Enhanced Protection in Chrome, ensure Google Play Protect remains on, and review installed app permissions.
CISA stressed that attackers continue to evolve their methods. Individuals who handle sensitive information or occupy positions that may attract targeted surveillance should assume that malicious actors may attempt to compromise their messaging applications. The agency recommends reviewing its updated Mobile Communications Best Practice Guidance and related resources for civil society organizations to reduce exposure to commercial spyware.
