CTI & OSINT

Spyware Targeting Secure Mobile Messaging Applications

by  • 

Executive Summary: A recent CISA alert warns that multiple threat actors are leveraging commercial spyware to compromise users of end-to-end encrypted mobile messaging apps. These attackers employ sophisticated tactics – including malicious QR codes, zero-click exploits, and trojanized messaging apps – to gain unauthorized access to victims’ messaging accounts and intercept private communications. Once a messaging app is breached, additional malicious payloads can be deployed to further compromise the victim’s mobile device and exfiltrate data. Current attacks appear opportunistic but evidence shows a focus on high-value targets such as senior government, military, and political figures, as well as journalists and NGO personnel across the United States, the Middle East, and Europe. The severity of this threat is high given the advanced methods and sensitive targets involved, requiring urgent implementation of recommended mitigations.

Technical Context

Throughout 2025, cybersecurity agencies have observed a surge in mobile espionage activity by state-sponsored and sophisticated threat groups. These campaigns exploit “commercial” spyware tools – ostensibly developed for law enforcement – to covertly monitor encrypted communications. A CISA bulletin reports that multiple cyber actors are actively using such mobile spyware to target secure messaging applications. The goal is to surreptitiously access sensitive conversations protected by end-to-end encryption, by bypassing or abusing the apps’ security features. Once a messaging app is compromised, the attackers deploy additional malware to fully infiltrate the victim’s device, enabling extensive surveillance and data theft. This modus operandi aligns with a broader trend of advanced spyware (e.g. Pegasus, FinFisher) being misused by malicious actors to conduct targeted surveillance under the guise of “lawful intercept” operations.

Vulnerabilities Exploited

The observed attacks take advantage of critical software vulnerabilities – often zero-day flaws – in messaging apps or their supporting mobile OS platforms. Exploiting these allows adversaries to achieve remote compromise without user interaction (zero-click exploits). For example, the LANDFALL campaign leveraged CVE-2025-21042, a zero-day vulnerability in Samsung’s Android image codec, by sending booby-trapped DNG image files via WhatsApp. This critical flaw enabled arbitrary code execution when the image was processed, and was actively abused in the wild until Samsung patched it in April 2025. Similarly, in August 2025, an exploit chain targeting iOS combined an Apple image parsing zero-day CVE-2025-43300 with a WhatsApp vulnerability CVE-2025-55177 (which allowed loading of external content) to achieve silent device takeover by simply sending a malicious image to the target. This two-pronged attack enabled zero-click RCE on fully patched iPhones via WhatsApp until emergency updates were released. In addition to software bugs, some legitimate app features have been abused: for instance, Signal’s linked device functionality (meant for multi-device support) has been manipulated through QR code phishing to hijack accounts without exploiting any code vulnerability (see TTPs below). By exploiting such vulnerabilities or design features, the attackers effectively bypass end-to-end encryption, implanting spyware at the application layer where it can intercept messages before encryption or after decryption.

Attack Techniques (TTPs)

The threat actors employ a blend of social engineering and technical exploits as part of their Tactics, Techniques, and Procedures. Key attack vectors include:

  • Phishing & Malicious QR Codes: Highly targeted phishing campaigns are used to compromise messaging accounts. One prominent technique is abusing the multi-device linking feature of messaging apps. Russian-aligned groups, for example, crafted fake Signal QR codes masquerading as legitimate group invites or security alerts. When the victim scanned these QR codes, it silently linked the victim’s Signal account to an attacker-controlled device, granting the adversary real-time access to all future messages. This device-linking attack requires minimal user interaction (just scanning a code) and leaves few traces, making it hard to detect while providing continuous eavesdropping capability. In other cases, phishing messages trick users into clicking malicious links (e.g. a fake WhatsApp verification alert) or downloading spyware-laced apps. Such social engineering exploits the trust in known platforms to induce users to perform the initial step of the compromise.
  • Zero-Click Exploits: The attackers also leverage exploits that do not require any user action. These zero-click attacks typically target vulnerabilities in how messaging apps handle incoming data (images, calls, etc.). For instance, a malicious image or call can trigger a flaw that gives the attacker a foothold on the device without the user’s knowledge. Pegasus and similar spyware have famously used iMessage and WhatsApp zero-days in this manner. In 2025, multiple zero-click vulnerabilities were identified and patched (see CVE-2025-21042, CVE-2025-55177 above). Exploiting such bugs, an attacker can install spyware or execute code as soon as a crafted message is received, completely bypassing user awareness or interaction. Given the stealth and success rate of this method, zero-click exploits are a preferred vector for high-end spyware delivery.
  • Impersonation & Trojanized Apps: Another tactic is impersonating legitimate messaging platforms to deliver malware. Threat actors have created fake websites and malicious mobile apps that closely mimic real services (Signal, WhatsApp, Telegram, etc.), deceiving users into installing spyware under the guise of official software. Recently, two Android spyware campaigns dubbed “ProSpy” and “ToSpy” lured users with bogus Signal “encryption plugin” apps and a fake “Pro” version of ToTok. The attackers distributed these via websites impersonating the official Signal site (e.g. domains like signal.ct[.]ws, encryption-plug-in-signal.com-ae[.]net) and a counterfeit Samsung app store. Likewise, the ClayRat malware spread through Telegram channels and phishing sites, masquerading as popular apps (WhatsApp, YouTube, TikTok, etc.) to trick users into sideloading it. In all cases, the victim believes they are downloading a legitimate app or update, but ends up infecting their device with spyware. Threat actors also impersonate trusted entities in communications – sending fake in-app alerts or support messages – to steal credentials or prompt actions (like entering a code or installing a file) that facilitate compromise. By exploiting user trust in recognized brands and services, these impersonation and trojan app techniques bypass technical protections and target the human element.

Victim Profiling

While these spyware campaigns can affect a broad user base, the evidence indicates a focus on high-profile individuals whose communications are of intelligence value. According to CISA, current targeting albeit somewhat opportunistic is centered on “high-value individuals, such as current and former high-ranking government, military, and political officials, as well as civil society organizations (CSOs)”.

Victims have been observed across multiple regions, notably in the United States, Middle East, and Europe. For example, ESET researchers uncovered that the ProSpy/ToSpy campaigns were specifically targeting users in the United Arab Emirates. Separately, the risk to government officials has prompted decisive countermeasures: in June 2025, the U.S. House of Representatives IT department banned WhatsApp on lawmakers’ devices due to espionage concerns. Moreover, spyware vendor NSO Group (creator of Pegasus) faced legal action in a landmark case for targeting WhatsApp users globally with its spyware. These instances underscore the severity of the threat for governmental and civil society targets. Generally, anyone with access to sensitive information: whether state secrets, political plans, or activist networks – is at elevated risk. Journalists, dissidents, diplomats, and business leaders have all been prey to such spyware operations. The common motive is espionage: to gather confidential communications, strategic plans, or personal intel from individuals who are decision-makers or influencers. Organizations are therefore urged to identify personnel likely to be targeted (e.g. C-level executives, officials, researchers in key fields) and reinforce their security accordingly.

Spyware Implants Involved

Multiple families of advanced mobile spyware have been utilized in these incidents, each offering extensive surveillance capabilities and often sold by private companies to governments. Pegasus, by Israel’s NSO Group, is one notorious example: this sophisticated spyware has exploited iOS and Android zero-days (e.g. in iMessage and WhatsApp) to achieve zero-click device takeover, and has been deployed worldwide against diplomats, journalists, and activists. Hermit, from Italian vendor RCS Lab, is another: uncovered in 2022, Hermit was delivered via fake carrier SMS messages prompting users to install a malicious “update,” and was used to spy on targets in Kazakhstan, Syria, and Italy. FinFisher (aka FinSpy, by Gamma Group) is a legacy spyware platform that was marketed for lawful interception but repeatedly misused to monitor dissidents and media in various countries.

These commercial spyware tools, ostensibly sold to legitimate authorities, have frequently been abused for unlawful surveillance of political opponents, human rights defenders, and other civilians.

In addition to these well-known spywares, newer threats have emerged during 2024–2025. One such threat is LANDFALL, an Android spyware discovered by Palo Alto Networks’ Unit 42 team. LANDFALL is tailored to Samsung Galaxy devices and was used in targeted intrusions in the Middle East. It enables comprehensive surveillance of the infected device including live microphone eavesdropping, location tracking, and theft of photos, contacts, and call logs. The spyware was delivered via a malformed DNG image exploit (CVE-2025-21042), likely through a zero-click WhatsApp message, allowing the implant to install itself without alerting the user. Notably, the LANDFALL operation remained active and under the radar for months before discovery, highlighting the stealth of such attacks and the difficulty of detection if vulnerabilities are unknown.

Another emerging malware is ClayRat, identified in late 2025. ClayRat is a rapidly evolving Android spyware campaign primarily targeting Russian users. It spreads via trojanized apps hosted on attacker-controlled Telegram channels and lookalike websites, posing as popular applications like WhatsApp, Google Photos, TikTok, and YouTube. Once installed, ClayRat can exfiltrate a broad range of data (SMS messages, call logs, notifications, device info), take pictures using the front camera, and even send messages or make calls from the infected phone. Uniquely, ClayRat also aggressively propagates itself: it sends malicious download links to every contact in the victim’s address book, effectively turning each compromised device into a distribution hub for further infections. In just a few months, researchers observed over 600 ClayRat samples and 50 distinct dropper apps, each iteration adding new obfuscation layers to evade detection. This rapid growth and continuous evolution demonstrate the operators’ commitment to maintaining persistence and scale.

Finally, recent Middle East espionage campaigns introduced new spyware families on Android. The aforementioned ProSpy/ToSpy operations uncovered previously undocumented malware masquerading as Signal and ToTok apps. First spotted in 2024 and active into 2025, these implants were used to steal messages, call recordings, and files from targeted users in the UAE. While technical details are still emerging, these cases reaffirm that the commercial spyware landscape is expanding with bespoke tools tailored to specific regions and platforms. In summary, the spyware utilized whether flagship products like Pegasus and Hermit or newer strains like LANDFALL and ClayRat – all share the ability to provide attackers full access to victims’ private communications and device sensors. They achieve this through a combination of zero-day exploits, sophisticated payloads, and clandestine distribution methods, making them among the most potent cyber threats to individuals and organizations today.

Indicators of Compromise (IoCs)

A variety of indicators can help defenders detect or investigate these spyware campaigns. Malicious domains and infrastructure are a primary IoC: for example, in the ProSpy/ToSpy case, ESET identified fake domains closely resembling legitimate services, such as signal.ct[.]ws and encryption-plug-in-signal.com-ae[.]net, which were used to distribute the trojanized Signal and ToTok apps. Another clue is file naming patterns. In the LANDFALL operation, the rogue DNG image files had names like “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg”, mimicking WhatsApp’s media naming convention. Such filenames (including “WA0000” sequences) suggest the malware was delivered via WhatsApp, corroborating earlier reports of image-based exploits targeting messaging apps. Additionally, the CVE identifiers of exploited vulnerabilities serve as important indicators: knowledge that CVE-2025-21042 or CVE-2025-55177 are being used in attacks can drive threat hunting and patch prioritization efforts. From a network perspective, IoCs may include unusual outbound connections to IPs or domains linked with known spyware C2 infrastructure (for instance, domains previously flagged in Pegasus or FinFisher operations). However, advanced actors often use rotating cloud hosts or VPN services, so network indicators can be ephemeral.

Behavioral signs on devices can also act as IoCs. Examples include: the sudden appearance of an unknown app (especially one requiring extensive permissions) outside of official app stores; a legitimate messaging app prompting for unexpected “security verifications”; battery or performance anomalies from constant background recording; or unexplained messages being sent from a user’s account. On Signal, an indicator of compromise is an unknown device listed in the Linked Devices section a direct consequence of the device-linking abuse. On Android, the abuse of Accessibility features by a malicious app (e.g. to read notifications or keystrokes) can be a red flag. Security teams should combine these artifacts – domains, file hashes, vulnerability fingerprints, unusual app behaviors to detect potential spyware infection. If one or more IoCs are present, an immediate forensic analysis of the device is warranted, as well as broader threat hunting in the environment.

Mitigations

In light of these threats, CISA’s updated guidance outlines several best practices to protect mobile communications. Key mitigation measures include:

  • Use proven end-to-end encrypted messaging apps: Communicate via reputable messaging services that offer end-to-end encryption by default (e.g. Signal or other well-vetted apps). Ensure the chosen app is updated regularly and supported on all devices you use. Cross-platform encrypted apps (available on iOS, Android, and desktop) with features like disappearing messages can provide additional privacy. Evaluate what metadata the app/service collects and retains, and prefer those with minimal data retention.
  • Stay alert to social engineering: Be extremely wary of unsolicited messages concerning your messaging accounts. Do not scan QR codes or click invite links from unknown or unverified sources. Verify the legitimacy of group invitations or security alerts through a secondary channel (for instance, confirm with the purported sender via a phone call or separate app). Treat unexpected in-app security messages with skepticism, especially if they ask for login codes or personal information. Training high-risk users to recognize phishing and scam tactics on messaging apps is crucial.
  • Audit linked devices and sessions: For messaging platforms that support multi-device access, regularly check the list of devices linked to your account in the app settings. Remove any device that you do not recognize or no longer use. Limit the number of linked devices to the minimum necessary. This practice can thwart clandestine device linking attacks by catching them after the fact. WhatsApp, Signal, and others also provide notifications of new device linkages never ignore these alerts, and investigate promptly if one appears.
  • Enable strong authentication (and avoid SMS): Protect your messaging and email accounts with phishing-resistant multi-factor authentication, such as FIDO2 security keys (e.g. YubiKey, Titan) wherever possible. Hardware security keys provide the highest resilience against account takeover attacks. Once implemented, disable weaker 2FA methods like SMS or OTP apps for those accounts, since SMS codes can be intercepted or phished. If a service supports it, enroll in advanced account protection programs (such as Google’s Advanced Protection for Gmail) to further harden your accounts.
  • Defend your telephone number: Set up a PIN/passcode on your mobile carrier account to prevent unauthorized SIM swaps. A SIM hijack can nullify even secure messaging if attackers reroute your phone number. By requiring a PIN for number porting or account changes, you greatly reduce the risk of SIM swap-based account takeovers. Additionally, avoid using SMS as a sole authentication factor for any high-value accounts (and opt for app-based or hardware 2FA instead).
  • Keep devices and apps updated: Apply software updates promptly for your mobile OS and all messaging apps. Critical security patches should be installed as soon as they are available. Enable auto-update functionality for both the device system and apps to ensure timely patching. Frequent updates reduce exposure to known exploits – many spyware infections (including those described above) are preventable once the relevant patch is applied. Make it a practice to check for updates weekly if auto-update is not in use.
  • Use modern hardware with long-term support: Whenever feasible, use newer smartphones that incorporate the latest security features and receive regular updates. Modern devices often include hardware-based security (secure enclaves, verified boot, etc.) that older phones lack. Moreover, choose models from manufacturers with a strong track record of providing monthly security patches and multi-year support. For example, many Android Enterprise Recommended devices commit to at least 5 years of security updates. Using up-to-date hardware ensures you benefit from improved defenses against exploits; conversely, legacy devices (or those on outdated OS versions) should be retired for sensitive use-cases, as they might not receive fixes for newly discovered vulnerabilities.

In addition to the above, organizations should provide tailored security training for at-risk users (executives, journalists, activists, etc.) on secure mobile practices. This includes encouraging the exclusive use of approved secure communications apps, reporting of any strange device behavior or messages, and having an incident response plan for suspected mobile compromise. Given the stealthy and evolving nature of spyware threats, a combination of user vigilance, strong technical safeguards, and up-to-date systems is essential. By implementing these best practices from CISA’s guidance and related advisories, high-risk users and enterprises can significantly harden their mobile communications against spyware-enabled espionage.

References:

  1. CISA Alert (Nov 24, 2025) – “Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications”: https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications
  2. Google Threat Intelligence (Dan Black) – “Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger” (blog), Feb 19, 2025: https:///blog/topics/threat-intelligence/russia-targeting-signal-messenger/
  3. Unit 42, Palo Alto Networks – “LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices” (Threat Research blog), Nov 7, 2025: https:///landfall-is-new-commercial-grade-android-spyware/
  4. BleepingComputer (Bill Toulas) – “Android spyware campaigns impersonate Signal and ToTok messengers”, Oct 2, 2025: https://www./news/security/android-spyware-campaigns-impersonate-signal-and-totok-messengers/
  5. Zimperium (Vishnu Pratapagiri) – “ClayRat: A New Android Spyware Targeting Russia” (blog), Oct 9, 2025: https:///blog/clayrat-a-new-android-spyware-targeting-russia/
  6. Lookout Threat Intelligence – “Lookout Uncovers Hermit Spyware Deployed in Kazakhstan”, June 16, 2022: https://www./threat-intelligence/article/hermit-spyware-discovery
  7. Reuters (Courtney Rozen) – “WhatsApp Banned on US House of Representatives Devices, Memo Shows”, June 23, 2025: https://www.reuters.com/world/us/whatsapp-banned-us-house-representatives-devices-memo-2025-06-23/
  8. The Record (Suzanne Smalley) – “Judge Bars NSO from Targeting WhatsApp Users with Spyware, Reduces Damages in Landmark Case”, Oct 20, 2025: https://therecord.media/judge-bars-nso-from-targeting-whatsapp-users-lowers-damages
  9. CISA – “Mobile Communications Best Practice Guidance” (Version 2.0, Nov 24, 2025), Cybersecurity & Infrastructure Security Agency: PDF (5 pages, TLP:CLEAR)