CISA warns spyware crews are breaking into Signal and WhatsApp accounts

Steven

CISA warns spyware crews are breaking into Signal and WhatsApp accounts

Summary

CISA has issued an alert warning that state-backed operators and cyber mercenaries are using commercial spyware to compromise Signal and WhatsApp users. Rather than breaking encryption, attackers are compromising devices and accounts via social engineering, spoofed apps, malicious QR codes, and zero-click exploits. The campaigns target “high-value” individuals — senior government, military and political figures, and civil society — across the US, Europe and the Middle East. Examples highlighted include Signal linked-device abuse, LANDFALL zero-click WhatsApp exploitation combined with a Samsung vulnerability, and multiple impersonation campaigns delivering spyware.

Key Points

  • CISA reports commercial spyware is being used to access messaging apps without defeating encryption itself.
  • Attack techniques include phishing, spoofed/impersonated apps, tampered QR codes for linked devices, and zero-click exploits.
  • Targets are primarily “high-value” users: current/former officials, military personnel, political actors and civil society groups.
  • Notable incidents: Russia-aligned actors abused Signal’s linked-device flow; LANDFALL combined a Samsung flaw with a WhatsApp zero-click exploit; ProSpy/ToSpy and ClayRat impersonated popular apps to install spyware.
  • Once a device is compromised, attackers can deploy additional payloads, exfiltrate chats, recordings and files, and maintain persistent access.
  • Heightened scrutiny of commercial spyware follows moves like the US restrictions on NSO Group and bans on WhatsApp on some government devices.

Context and relevance

This alert fits a broader trend: adversaries are increasingly compromising endpoints to bypass end-to-end encryption rather than attacking cryptography itself. Commercial spyware vendors and exploit chains are under growing scrutiny, and the warning underscores why device hygiene, timely patching and cautious use of account features (like linked devices and QR codes) are critical for anyone handling sensitive information.

Author style

Punchy: This isn’t theoretical — it’s active and targeted. If you defend people, data or institutions, the detail here matters. Read the specifics so you can harden endpoints and reduce exposure.

Why should I read this?

Short and blunt: encryption isn’t magic — if your phone gets owned, your supposedly secure chats are readable. If you use Signal or WhatsApp for sensitive conversations (or protect people who do), you need to know how attackers are getting in so you can stop them: check linked devices, refuse unexpected QR scans, avoid unofficial app installs, and keep phones patched.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/11/25/cisa_spyware_gangs/