The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued a warning about criminals actively using commercial spyware and remote access Trojans (RATs) to target users of mobile messaging applications.
“These cyberattackers leverage sophisticated targeting and social engineering techniques to deliver spyware, gain unauthorized access to victims’ messaging apps, and facilitate the deployment of additional malicious payloads that may further compromise victims’ mobile devices,” the agency said.
CISA cited several campaigns uncovered since the beginning of the year as examples. Some of them are –
Multiple Russian-aligned attackers target the Signal messaging app by leveraging the Signal messaging app’s service’s “linked devices” feature to hijack target user accounts. ClayRat, an Android spyware campaign codenamed ProSpy and ToSpy, impersonates apps like Signal and ToTok and targets users in the United Arab Emirates to deliver malware that establishes persistent access to compromised Android devices and steals data. An Android spyware campaign called “targeted users in Russia using Telegram channels and lookalikes “phished pages by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube, tricked users into installing them, and stole sensitive data” chained together two security flaws in iOS and WhatsApp (CVE-2025-43300 and CVE-2025-55177), targeting less than 200 users. Targeted attack campaign targeting WhatsApp users Targeted attack campaign exploiting Samsung security flaw (CVE-2025-21042) Delivering Android spyware called LANDFALL to Galaxy devices in the Middle East
The agency said attackers used multiple tactics to commit the breach, including device link QR codes, zero-click exploits, and distributing spoofed versions of messaging apps.
CISA also noted that these operations primarily focus on high-value individuals, including current and former government, military, and political officials, as well as civil society organizations and individuals across the United States, the Middle East, and Europe.
To combat this threat, the agency urges targeted individuals to review and adhere to the following best practices:
Use only end-to-end encrypted (E2EE) communications Enable Fast Identity Online (FIDO) phishing-resistant authentication Move away from Short Message Service (SMS)-based multi-factor authentication (MFA) Use a password manager to store all your passwords Set a PIN for your carrier to protect your mobile phone account Update your software regularly Choose the latest hardware version from your phone manufacturer to maximize your security benefits Personal Virtual Private Network (VPN) On iPhones, enable Lockdown Mode and iCloud Private Relay, review and restrict sensitive app permissions; on Android smartphones, choose smartphones from manufacturers with a strong security track record, use Rich Communication Services (RCS) only when E2EE is enabled, turn on Safe Browsing Enhanced Protection on Chrome, ensure Google Play Protect is turned on, and audit and restrict app permissions.
Source link
