The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Monday warning that cyber actors are actively leveraging commercial spyware and remote access trojans to target users of mobile messaging applications, the agency said.
CISA cited multiple campaigns since the start of the year as examples, including the targeting of Signal via its linked‑devices feature by Russia‑aligned actors, Android spyware campaigns codenamed ProSpy and ToSpy that impersonated apps to compromise devices in the United Arab Emirates, an Android campaign called ClayRat that used Telegram channels and lookalike phishing pages in Russia, a targeted chain of iOS and WhatsApp flaws (CVE-2025-43300 and CVE-2025-55177) that affected fewer than 200 WhatsApp users, and exploitation of a Samsung flaw (CVE-2025-21042) to deliver an Android spyware named LANDFALL to Galaxy devices in the Middle East.
The agency said actors employ multiple tactics to achieve compromise, including device‑linking QR codes, zero‑click exploits and distribution of spoofed versions of messaging apps. CISA added the campaigns have focused on high‑value individuals such as current and former government, military and political officials, and members of civil society across the United States, the Middle East and Europe.
To counter the threat, CISA urged highly targeted individuals to review and adhere to best practices, including using end‑to‑end encrypted communications, enabling FIDO phishing‑resistant authentication, moving away from SMS‑based multi‑factor authentication, using a password manager, setting a telecommunications provider PIN, keeping software updated and choosing recent device hardware. The guidance also recommended avoiding personal VPNs, and offered platform‑specific steps such as enabling Lockdown Mode and iCloud Private Relay on iPhones and auditing app permissions and Google Play Protect settings on Android devices.