The Cybersecurity & Infrastructure Security Agency (CISA) has issued a new alert warning that sophisticated spyware campaigns are actively targeting users of secure messaging apps such as Signal and WhatsApp. Attackers are using a mix of social engineering, remote-access trojans, linked-device hijacks, and device-level exploits to compromise high-value individuals.
Below is an easy-to-follow breakdown of what’s happening and what IT audit, risk, and security teams should do right now.
What’s Happening?
CISA reports several ongoing campaigns involving spyware and remote-access tools delivered through or impersonating messaging applications.
Recent campaigns include:
- Russian-linked actors attacking Signal’s linked-device feature.
- Android spyware “ProSpy” and “ToSpy” impersonating Signal or ToTok to target users in the UAE.
- “ClayRat” spyware disguised as WhatsApp, Telegram, and YouTube apps to target Android users in Russia.
- An iOS zero-click attack chain delivered through WhatsApp using two zero-day flaws (CVE-2025-43300 and CVE-2025-55177).
- An Android exploit targeting Samsung devices (CVE-2025-21042) used to install “LANDFALL” spyware on Galaxy phones.
These attacks specifically target government officials, military personnel, political figures, journalists, activists, and other high-value individuals.
Why This Matters for Organizations
Although apps like Signal and WhatsApp use end-to-end encryption, attackers can bypass that protection by:
- exploiting device and OS vulnerabilities
- hijacking linked devices
- delivering look-alike malicious apps
- using zero-click spyware
- leveraging social engineering or stolen credentials
A compromised mobile device gives attackers access to sensitive communications, authentication data, and private strategy conversations, making this a major risk to organizational trust, governance, and compliance.
What Audit, Risk & IT Teams Should Do Now
1. Identify High-Risk Users
Find individuals in your organization likely to be targeted, including executives, legal teams, compliance staff, public-facing figures, or anyone handling sensitive data.
2. Harden Mobile Devices and Messaging Security
Across all platforms:
- Require end-to-end encrypted messaging.
- Move to phishing-resistant authentication (FIDO or passkeys).
- Enforce regular OS and app updates.
For iPhones:
- Enable Lockdown Mode.
- Turn on iCloud Private Relay.
- Audit sensitive permissions.
For Android devices:
- Use devices from manufacturers with strong security reputations.
- Enable Google Play Protect and Enhanced Safe Browsing.
- Review app permissions frequently.
3. Reduce the Attack Surface
- Restrict or closely manage linked-device features.
- Block or monitor app side-loading.
- Watch for fake or spoofed apps mimicking WhatsApp, Telegram, TikTok, or YouTube.
4. Monitor Mobile Devices for Red Flags
Look for:
- Unrecognized linked devices
- New apps the user didn’t install
- Sudden permission changes
- Battery drain or unusual data usage
- SIM-card or carrier-setting changes
- Unexpected malware alerts
5. Educate Leadership and Key Stakeholders
Help leadership understand that messaging apps are sensitive communication channels and that mobile-device compromise can expose strategic decisions, legal conversations, and operational planning.
How IT Audit Labs Can Help
Cyber threats targeting mobile devices and messaging apps are growing quickly, and organizations often lack the visibility or mobile-specific controls needed to stay ahead of the risk.
IT Audit Labs helps organizations strengthen mobile and messaging security by:
- Assessing mobile-device policies and configurations across iOS and Android.
- Evaluating messaging-app risks including linked-device features, permissions, and authentication.
- Reviewing OS patching practices to ensure timely updates for high-severity mobile vulnerabilities.
- Implementing mobile threat-detection and monitoring solutions for high-risk personnel.
- Performing risk assessments and control reviews aligned with governance, compliance, and cybersecurity frameworks.
- Providing strategic recommendations tailored to your industry, risk profile, and communication workflows.
If your leadership team, executives, or high-value users rely on secure messaging, we can help ensure their devices, identities, and communications are properly protected.
How This Fits Into Larger Cybersecurity Trends
These spyware campaigns reveal an important shift:
- Mobile devices are becoming primary entry points for attackers.
- Messaging apps are being exploited at the device level rather than the network level.
- State-sponsored actors are increasingly using zero-click exploits and commercial spyware.
- Device-linked features and app impersonation are now common attack vectors.
Security assessments must now extend beyond desktops, servers, and cloud platforms to include mobile ecosystems and messaging infrastructure.
Key Takeaways
- Spyware campaigns are actively targeting Signal, WhatsApp, and other messaging apps used by high-value individuals.
- Organizations must strengthen mobile-device controls, authentication, monitoring, and messaging security.
- These threats impact business operations, compliance, and governance—not only IT.
- IT Audit Labs can assist with mobile risk assessments, secure-messaging evaluations, and device security improvements.
