Headline
CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. "These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app,
Spyware / Mobile Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications.
“These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device,” the agency said.
CISA cited as examples multiple campaigns that have come to light since the start of the year. Some of them include -
- The targeting of the Signal messaging app by multiple Russia-aligned threat actors by taking advantage of the service’s “linked devices” feature to hijack target user accounts
- Android spyware campaigns codenamed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates to deliver malware that establishes persistent access to compromised Android devices and exfiltrates data
- An Android spyware campaign called ClayRat has targeted users in Russia using Telegram channels and lookalike phishing pages by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube to trick users into installing them and steal sensitive data
- A targeted attack campaign that likely chained two security flaws in iOS and WhatsApp (CVE-2025-43300 and CVE-2025-55177) to target fewer than 200 WhatsApp users
- A targeted attack campaign that involved the exploitation of a Samsung security flaw (CVE-2025-21042) to deliver an Android spyware dubbed LANDFALL to Galaxy devices in the Middle East
The agency said the threat actors use multiple tactics to achieve compromise, including device-linking QR codes, zero-click exploits, and distributing spoofed versions of messaging apps.
CISA also pointed out that these activities focus on high-value individuals, primarily current and former high-ranking government, military, and political officials, along with civil society organizations and individuals across the United States, the Middle East, and Europe.
To counter the threat, the agency is urging highly targeted individuals to review and adhere to the following best practices -
- Only use end-to-end encrypted (E2EE) communications
- Enable Fast Identity Online (FIDO) phishing-resistant authentication
- Move away from Short Message Service (SMS)-based multi-factor authentication (MFA)
- Use a password manager to store all passwords
- Set a telecommunications provider PIN to secure mobile phone accounts
- Periodically update software
- Opt for the latest hardware version from the cell phone manufacturer to maximize security benefits
- Do not use a personal virtual private network (VPN)
- On iPhones, enable Lockdown Mode, enroll in iCloud Private Relay, and review and restrict sensitive app permissions
- On Android phones, choose phones from manufacturers with strong security track records, only use Rich Communication Services (RCS) if E2EE is enabled, turn on Enhanced Protection for Safe Browsing in Chrome, ensure Google Play Protect is on, and audit and limit app permissions
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related news
A critical vulnerability that affects Samsung mobile devices was exploited in the wild to distribute LANDFALL spyware.
Unit 42 discovered LANDFALL, commercial-grade Android spyware, which used a hidden image vulnerability (CVE-2025-21042) to remotely spy on Samsung Galaxy users via WhatsApp. Update your phone now.
Cyber threats didn’t slow down last week—and attackers are getting smarter. We’re seeing malware hidden in virtual machines, side-channel leaks exposing AI chats, and spyware quietly targeting Android devices in the wild. But that’s just the surface. From sleeper logic bombs to a fresh alliance between major threat groups, this week’s roundup highlights a clear shift: cybercrime is evolving fast
A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East. The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary
Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild. The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file. "Apple is aware of a report that this issue may have been exploited in an
Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part
Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part
Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known "zero-day" or actively exploited vulnerabilities in this month's bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft's most-dire "critical" label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.
Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known "zero-day" or actively exploited vulnerabilities in this month's bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft's most-dire "critical" label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.
Bill takes thoughtful look at the transition from summer camp to grind season, explores the importance of mental health and reflects on AI psychiatry.
CISA updates its KEV List with TP-Link Wi-Fi extender and WhatsApp spyware flaws, urging users and agencies to…
CISA updates its KEV List with TP-Link Wi-Fi extender and WhatsApp spyware flaws, urging users and agencies to…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, CVE-2020-24363 (CVSS score: 8.8), concerns a case of missing authentication that could be abused to obtain
WhatsApp has patched a vulnerability that was used in conjunction with an Apple vulnerability in zero-click attacks.
WhatsApp has patched a vulnerability that was used in conjunction with an Apple vulnerability in zero-click attacks.
Cybersecurity today is less about single attacks and more about chains of small weaknesses that connect into big risks. One overlooked update, one misused account, or one hidden tool in the wrong hands can be enough to open the door. The news this week shows how attackers are mixing methods—combining stolen access, unpatched software, and clever tricks to move from small entry points to large
Cybersecurity today is less about single attacks and more about chains of small weaknesses that connect into big risks. One overlooked update, one misused account, or one hidden tool in the wrong hands can be enough to open the door. The news this week shows how attackers are mixing methods—combining stolen access, unpatched software, and clever tricks to move from small entry points to large
WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The…
WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The…
WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks. The vulnerability, CVE-2025-55177 (CVSS score: 8.0), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the
WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks. The vulnerability, CVE-2025-55177 (CVSS score: 8.0), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the
A list of topics we covered in the week of August 18 to August 24 of 2025
Apple fixes CVE-2025-43300, a flaw letting hackers hijack devices via malicious images. Users urged to update iPhone, iPad,…
Apple has released security updates to patch a zero-day vulnerability tracked as CVE-2025-43300 for all platforms