The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications.
“These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device,” the agency said.
CISA cited as examples multiple campaigns that have come to light since the start of the year. Some of them include –
- The targeting of the Signal messaging app by multiple Russia-aligned threat actors by taking advantage of the service’s “linked devices” feature to hijack target user accounts
- Android spyware campaigns codenamed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates to deliver malware that establishes persistent access to compromised Android devices and exfiltrates data
- An Android spyware campaign called ClayRat has targeted users in Russia using Telegram channels and lookalike phishing pages by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube to trick users into installing them and steal sensitive data
- A targeted attack campaign that likely chained two security flaws in iOS and WhatsApp (CVE-2025-43300 and CVE-2025-55177) to target fewer than 200 WhatsApp users
- A targeted attack campaign that involved the exploitation of a Samsung security flaw (CVE-2025-21042) to deliver an Android spyware dubbed LANDFALL to Galaxy devices in the Middle East
The agency said the threat actors use multiple tactics to achieve compromise, including device-linking QR codes, zero-click exploits, and distributing spoofed versions of messaging apps.
CISA also pointed out that these activities focus on high-value individuals, primarily current and former high-ranking government, military, and political officials, along with civil society organizations and individuals across the United States, the Middle East, and Europe.
To counter the threat, the agency is urging highly targeted individuals to review and adhere to the following best practices –
- Only use end-to-end encrypted (E2EE) communications
- Enable Fast Identity Online (FIDO) phishing-resistant authentication
- Move away from Short Message Service (SMS)-based multi-factor authentication (MFA)
- Use a password manager to store all passwords
- Set a telecommunications provider PIN to secure mobile phone accounts
- Periodically update software
- Opt for the latest hardware version from the cell phone manufacturer to maximize security benefits
- Do not use a personal virtual private network (VPN)
- On iPhones, enable Lockdown Mode, enroll in iCloud Private Relay, and review and restrict sensitive app permissions
- On Android phones, choose phones from manufacturers with strong security track records, only use Rich Communication Services (RCS) if E2EE is enabled, turn on Enhanced Protection for Safe Browsing in Chrome, ensure Google Play Protect is on, and audit and limit app permissions