CISA Alerts on Active Spyware Threats Targeting Signal and WhatsApp Users
On November 25, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a critical alert regarding the active exploitation of commercial spyware and remote access trojans (RATs) by malicious actors targeting users of mobile messaging applications, notably Signal and WhatsApp. These sophisticated cyber campaigns employ advanced social engineering tactics to infiltrate users’ devices, compromising their messaging apps and deploying additional malicious payloads that further jeopardize device security.
Recent Spyware Campaigns Identified:
CISA highlighted several significant campaigns that have emerged since the beginning of the year:
1. Signal Account Hijacking by Russia-Aligned Threat Actors: Exploiting Signal’s linked devices feature, these actors have successfully hijacked user accounts, gaining unauthorized access to private communications.
2. ProSpy and ToSpy Android Spyware in the UAE: Disguised as legitimate apps like Signal and ToTok, these spyware variants have targeted users in the United Arab Emirates. Once installed, they establish persistent access to Android devices, exfiltrating sensitive data.
3. ClayRat Campaign in Russia: This Android spyware campaign utilizes Telegram channels and phishing pages mimicking popular apps such as WhatsApp, Google Photos, TikTok, and YouTube to deceive users into downloading malware that steals personal information.
4. Exploitation of iOS and WhatsApp Vulnerabilities: A targeted attack combined two security flaws in iOS and WhatsApp (CVE-2025-43300 and CVE-2025-55177) to compromise fewer than 200 WhatsApp users, underscoring the risks associated with unpatched software.
5. LANDFALL Spyware Targeting Samsung Devices: By exploiting a Samsung security flaw (CVE-2025-21042), attackers deployed the LANDFALL spyware on Galaxy devices in the Middle East, compromising device integrity and user privacy.
Tactics Employed by Threat Actors:
These cyber adversaries utilize a range of sophisticated methods to achieve their objectives:
– Device-Linking QR Codes: By manipulating QR codes used for linking devices, attackers can gain unauthorized access to messaging accounts.
– Zero-Click Exploits: These exploits require no user interaction, allowing malware to be installed silently and compromising devices without the user’s knowledge.
– Distribution of Spoofed Messaging Apps: Malicious actors create counterfeit versions of popular messaging applications, tricking users into downloading and installing malware-laden apps.
Targeted Individuals and Regions:
The primary targets of these campaigns are high-value individuals, including current and former high-ranking government, military, and political officials, as well as members of civil society organizations. Geographically, these activities have been concentrated in the United States, the Middle East, and Europe, reflecting the strategic interests of the threat actors.
Recommended Security Measures:
In response to these threats, CISA advises individuals, especially those at higher risk, to implement the following best practices to enhance their cybersecurity posture:
1. Utilize End-to-End Encrypted (E2EE) Communications: Ensure that all messaging applications employ E2EE to protect the confidentiality of communications.
2. Enable Phishing-Resistant Authentication: Adopt Fast Identity Online (FIDO) authentication methods to mitigate the risk of phishing attacks.
3. Avoid SMS-Based Multi-Factor Authentication (MFA): Transition away from SMS-based MFA, as it is more susceptible to interception and spoofing.
4. Use a Password Manager: Employ a reputable password manager to generate and store complex, unique passwords for all accounts.
5. Set a Telecommunications Provider PIN: Establish a PIN with your mobile service provider to add an extra layer of security to your account.
6. Regularly Update Software: Keep all software, including operating systems and applications, up to date to patch known vulnerabilities.
7. Opt for the Latest Hardware: Use the most recent hardware versions from reputable manufacturers to benefit from the latest security features.
8. Avoid Personal Virtual Private Networks (VPNs): Refrain from using personal VPNs, as they can introduce additional security risks if not properly managed.
9. iPhone Users:
– Enable Lockdown Mode: Activate Lockdown Mode to restrict device functionality and reduce the attack surface.
– Enroll in iCloud Private Relay: Use iCloud Private Relay to enhance online privacy by encrypting internet traffic.
– Review and Restrict App Permissions: Regularly audit app permissions and limit access to sensitive data.
10. Android Users:
– Choose Secure Devices: Select devices from manufacturers with strong security track records.
– Enable E2EE in RCS: Ensure that Rich Communication Services (RCS) messaging has E2EE enabled.
– Turn on Enhanced Protection in Chrome: Activate Enhanced Protection for Safe Browsing in the Chrome browser.
– Ensure Google Play Protect is Active: Verify that Google Play Protect is enabled to scan for malicious apps.
– Audit and Limit App Permissions: Regularly review app permissions and restrict access to necessary functions only.
Conclusion:
The increasing sophistication of spyware campaigns targeting messaging app users underscores the critical need for heightened vigilance and proactive security measures. By adhering to the recommended best practices, individuals can significantly reduce their risk of falling victim to these malicious activities. Staying informed about emerging threats and maintaining robust cybersecurity hygiene are essential steps in safeguarding personal and professional communications against unauthorized access and exploitation.
