Spyware targeting messaging apps announced by CISA

CISA issued an urgent alert on November 24, 2025, warning of multiple cyber threat actors actively using commercial spyware to target users of popular mobile messaging apps like Signal, WhatsApp, and Telegram. These actors employ sophisticated social engineering and targeting techniques, such as malicious QR codes for device pairing, zero-click exploits that infect devices silently without user interaction, and fake app updates impersonating legitimate services to deliver spyware payloads.
​Once inside the messaging app, the spyware grants unauthorized access, enabling deployment of additional malware for full device compromise, data exfiltration, and long-term surveillance. High-value targets include senior government officials, military leaders, political figures, journalists, and civil-society organizations (CSOs) in the US, Europe, and Middle East, often linked to nation-state operations or authoritarian regimes exploiting these tools.
​The agency highlighted vulnerabilities like iOS/WhatsApp chains (e.g., CVE-2025-43300, CVE-2025-55177) and Android spyware such as ClayRat spread via Telegram phishing. CISA updated its mobile security guidance, urging automatic updates, app verification, avoidance of untrusted links, and monitoring for anomalies like unusual battery drain. This rare public notice underscores escalating risks to encrypted communications, as attackers bypass encryption by hijacking devices pre- or post-decryption, eroding trust in privacy-focused apps amid a surge in commercial spyware proliferation.