CISA Warns of Commercial Spyware Threats Targeting WhatsApp and Signal Users

Carly Page, reporting in The Register, writes about a recent Cybersecurity and Infrastructure Security Agency (CISA) alert. It describes a series of campaigns in which state-backed actors, along with hired cyber-operators, are using commercial spyware to compromise users of WhatsApp and Signal.

According to CISA, these intrusions involve deceptive delivery methods and advanced exploits that can silently compromise devices. The alert focuses on activity directed at individuals whose communications hold strategic or political importance. Attackers are seeking access to both messaging accounts and the broader mobile environment.

These campaigns reflect an expanded operational toolkit. CISA cites reports from independent research groups that detail how attackers deploy phishing messages, tampered QR codes, malicious app impersonations, or automated exploits to gain an initial foothold.

Several investigations referenced in the alert describe adversaries targeting Android ecosystems. They manipulate device features and plant counterfeit applications designed to imitate widely trusted services.

The alert summarizes multiple real-world examples. Google’s Threat Intelligence Group documented Russia-linked operators exploiting Signal’s linked-device feature by tricking victims into scanning manipulated QR codes, which allowed attackers to receive messages in parallel.

Another case surfaced through Unit 42’s research. It described the deployment of “Landfall” spyware onto Samsung devices by pairing a Samsung vulnerability with a zero-click WhatsApp image exploit.

Other spyware operations — ProSpy, ToSpy, ClayRat — reportedly relied on fake versions of common apps to collect data once installed.

The increasing regulatory and legislative attention on commercial spyware vendors, as this alert signals, means attorneys advising public or private entities will need to anticipate compliance questions. They should also anticipate evidence-handling concerns and potential policy developments affecting secure communication practices.