CISA: Commercial Spyware Hijacking Signal & WhatsApp via Zero-Clicks

CISA Warns of Commercial Spyware Targeting High-Value Individuals via Signal and WhatsApp

HIGH
November 25, 2025
December 7, 2025
5m read
MalwareMobile SecurityThreat Intelligence

Related Entities(initial)

Organizations

CISA Samsung

Products & Tech

Signal WhatsApp

MITRE ATT&CK Techniques

T1404Initial Access

Exploit via Application

T1476Initial Access

Deliver Malicious App via Other Means

T1429Collection

Read Application Data

T1424Collection

Capture Audio

T1425Collection

Capture Video

T1428Exfiltration

Exfiltrate Data to Cloud Storage

Full Report(when first published)

Executive Summary

On November 24, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of multiple threat actors actively leveraging commercial spyware to compromise mobile messaging applications, specifically Signal and WhatsApp. The campaigns target high-value individuals, including government and military officials, through sophisticated attack vectors. These methods range from social engineering, such as phishing and malicious QR code linking, to highly advanced zero-click exploits. A successful compromise can lead to unauthorized access to sensitive communications and can serve as a pivot point for a full mobile device takeover, enabling espionage and data theft.

Threat Overview

CISA's advisory highlights a growing threat from the proliferation of commercial spyware, which lowers the barrier to entry for sophisticated surveillance capabilities. Threat actors are targeting the secure communication channels that high-profile individuals rely on. The attack vectors are diverse:

  • Social Engineering & Phishing: Attackers impersonate trusted entities or the messaging platforms themselves to trick users into taking an action, such as scanning a malicious QR code.
  • Malicious QR Code Linking: This technique abuses the 'linked devices' feature of apps like WhatsApp. A user is tricked into scanning a QR code, which links their account to an attacker-controlled device, giving the attacker real-time access to all messages.
  • Zero-Click Exploits: The most alarming vector, zero-click exploits require no user interaction whatsoever. A specially crafted message or data packet sent to the target's device can trigger a vulnerability and install the spyware silently. This makes detection and prevention extremely difficult.

While CISA notes the targeting is currently opportunistic, the victimology points to a clear focus on individuals with access to sensitive information: government officials, military personnel, and members of civil society organizations (CSOs) in the United States, Europe, and the Middle East.

Technical Analysis

The campaigns described by CISA involve several stages and techniques, aligning with the MITRE ATT&CK framework for Mobile.

  1. Initial Access: Attackers gain a foothold using various methods. Phishing links sent via SMS or other channels represent T1476 - Deliver Malicious App via Other Means. The use of malicious QR codes is a form of T1648.002 - Multi-Factor Authentication Request Generation where the 'second factor' is the device link. Zero-click exploits leverage vulnerabilities in the application's code, corresponding to T1404 - Exploit via Application.
  2. Execution & Persistence: Once the spyware is on the device, it executes and establishes persistence. This could involve hiding its presence and ensuring it runs on startup, aligning with T1402 - Masquerade as Legitimate App and T1400 - Boot or Logon Autostart Execution.
  3. Privilege Escalation: Many forms of mobile spyware attempt to gain root or elevated privileges to access data outside of the application sandbox, mapping to T1405 - Exploit via Kernel.
  4. Collection & Exfiltration: The spyware's primary goal is to collect data. This includes reading messages from Signal and WhatsApp (T1412 - Contact List Discovery, T1414 - Call Log Discovery), accessing files (T1409 - System Information Discovery), and activating the microphone or camera (T1424 - Capture Audio, T1425 - Capture Video). Data is then exfiltrated over the network (T1428 - Exfiltrate Data to Cloud Storage).

MITRE ATT&CK for Mobile Techniques

Tactic Technique ID Name Description
Initial Access T1404 Exploit via Application Zero-click exploits leverage vulnerabilities in messaging apps.
Initial Access T1476 Deliver Malicious App via Other Means Phishing attacks deliver malicious links or QR codes.
Collection T1429 Read Application Data Spyware accesses and reads messages from Signal and WhatsApp.
Collection T1424 Capture Audio Spyware can activate the device's microphone for eavesdropping.
Exfiltration T1428 Exfiltrate Data to Cloud Storage Stolen data is sent to attacker-controlled servers.

Impact Assessment

The compromise of secure messaging apps used by high-value individuals poses a significant national security risk. It can lead to the exposure of classified information, diplomatic negotiations, military plans, or sensitive corporate strategies. For civil society organizations and journalists, such surveillance can endanger individuals, expose sources, and suppress dissent. The psychological impact on victims, knowing their private communications are being monitored, is also profound. Since the initial compromise can lead to a full device takeover, the potential for damage extends beyond message content to include all data stored on or accessible from the device.

Cyber Observables for Detection

Detecting sophisticated mobile spyware, especially zero-click variants, is extremely challenging for end-users. However, some indicators might be present:

Type Value Description Context Confidence
other Unexpected linked devices An unknown or unauthorized device appearing in the 'Linked Devices' section of WhatsApp or Signal. User review of application settings. high
network_traffic_pattern Unusual battery drain or data usage A compromised device may exhibit higher-than-normal battery consumption or data traffic as spyware operates in the background. Mobile device settings, carrier data usage reports. low
process_name Unrecognized running applications An unfamiliar process or application running in the background, though spyware is often heavily obfuscated. Advanced mobile forensics tools (e.g., MVT). low
other Strange device behavior Random reboots, slow performance, or apps crashing unexpectedly can sometimes indicate a malware infection. User observation. low

Detection & Response

Due to the stealthy nature of these attacks, prevention is more effective than detection. Users must be vigilant and organizations must enforce strict mobile security policies.

  • Regularly Audit Linked Devices: Users of WhatsApp and Signal should periodically check the 'Linked Devices' or 'Sessions' menu in their app settings to ensure no unauthorized devices are connected. This is a manual form of D3-LAM - Local Account Monitoring.
  • Enable Security Notifications: In Signal and WhatsApp, enable the security setting that notifies you when a contact's security code changes. While this can have benign causes, it can also indicate a re-installation or account takeover.
  • Mobile Threat Defense (MTD): Organizations with high-risk employees should deploy MTD solutions on mobile devices. These tools can detect malicious apps, network anomalies, and device configuration changes that may indicate a compromise. This aligns with D3-NTA - Network Traffic Analysis.
  • Forensic Analysis: If a compromise is suspected, use specialized tools like Amnesty International's Mobile Verification Toolkit (MVT) to scan device backups for known indicators of spyware.

Mitigation

CISA recommends several best practices:

  1. Keep Apps and OS Updated: The most critical defense against zero-click exploits is to apply security patches as soon as they are available. This is a direct implementation of M1051 - Update Software.
  2. Be Skeptical of Unsolicited Messages: Do not click on links or scan QR codes from unknown or untrusted sources. This falls under M1017 - User Training.
  3. Use Registration Lock / PIN: In Signal and WhatsApp, enable a PIN that is required when registering your phone number with the app again. This prevents an attacker from taking over your account on a new device.
  4. Limit Physical Access: Secure devices with strong passcodes, biometrics, and enable auto-lock to prevent physical tampering.
  5. Reboot Regularly: Some less persistent spyware implants do not survive a device reboot. Regularly restarting the phone can help clear such threats from memory.

Timeline of Events

1
November 24, 2025
CISA issues an advisory about spyware targeting messaging applications.
2
November 25, 2025
This article was published

Article Updates

December 7, 2025

WhatsApp zero-click attacks surge globally, 2FA critical defense against widespread exploitation.

Update Sources:
timeskuwait.comWhatsApp vulnerability sparks surge in cyberattacks across Kuwait and globe
arabtimesonline.comKuwait witnesses sharp rise in social media account hacking attempts

MITRE ATT&CK Mitigations

Update Software

M1051mobile

Promptly install updates for mobile operating systems and messaging applications to patch vulnerabilities exploited by zero-click attacks.

Mapped D3FEND Techniques:

D3-SU

User Training

M1017enterprise

Educate users to recognize and avoid social engineering tactics, such as phishing links and unsolicited QR code scanning requests.

Multi-factor Authentication

M1032enterprise

Enable features like Registration Lock or a PIN within messaging apps to act as a second factor and prevent account takeover.

Mapped D3FEND Techniques:

D3-MFA

Behavior Prevention on Endpoint

M1040enterprise

Deploy Mobile Threat Defense (MTD) solutions to monitor for anomalous behavior indicative of spyware.

Mapped D3FEND Techniques:

D3-ANETD3-RAPA

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

Enforce a strict and timely software update policy for all mobile devices, covering both the operating system (iOS/Android) and all installed applications, especially Signal and WhatsApp. For corporate-managed devices, use a Mobile Device Management (MDM) solution to automate and enforce the installation of security patches. This is the single most effective defense against zero-click exploits, which rely on unpatched vulnerabilities. For high-risk individuals, consider enabling automatic updates and conducting regular compliance checks to ensure devices are never left in a vulnerable state. A delay of even a few days in patching can provide a window of opportunity for attackers to deploy sophisticated spyware.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

Mandate the activation of all available security features within Signal and WhatsApp for high-risk users. This includes setting a 'Registration Lock PIN' in WhatsApp or a 'Registration Lock' in Signal to prevent SIM-swapping attacks and unauthorized account re-registration. Additionally, users should be required to periodically review the 'Linked Devices' section of their apps to identify and remove any unauthorized sessions. Disabling link previews in messaging apps can also reduce the attack surface by preventing the app from automatically fetching data from potentially malicious URLs. These configuration changes raise the bar for attackers and provide crucial safeguards against common account takeover techniques.

User Behavior Analysis

D3-UBAMaps to MITREM1017
D3FEND

Train high-value targets to adopt a high-vigilance mindset when using mobile messaging. This goes beyond generic anti-phishing advice. Training should be specific to the threat, focusing on the danger of unsolicited QR codes, unexpected requests for multi-factor authentication, and messages that create a false sense of urgency. Conduct regular, simulated social engineering tests that mimic the TTPs described by CISA. Users should be taught to verify any unusual request through a separate, secure communication channel before taking action. For example, if a contact asks to scan a QR code, the user should call them to confirm the request is legitimate. This human firewall is a critical defense layer against non-technical attack vectors.

Sources & References(when first published)

​​Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications​
CISA (cisa.gov) November 24, 2025
CISA alert draws attention to spyware’s targeting of messaging apps
CyberScoop (cyberscoop.com) November 24, 2025
CISA Warns of Commercial Spyware Targeting Signal and WhatsApp Users
GBHackers on Security (gbhackers.com) November 25, 2025
CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users
The Hacker News (thehackernews.com) November 25, 2025
CISA Alert Draws Attention to Spyware’s Targeting of Messaging Apps
Ground News (ground.news) November 24, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CISAspywaremobile securitySignalWhatsAppzero-clickphishingsocial engineering

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next