Encrypted messaging apps, including Signal and WhatsApp, are under siege, warns the US Cybersecurity and Infrastructure Security Agency (CISA).

State-backed attackers and cyber-mercenaries are deploying sophisticated commercial spyware to breach the accounts of high-value targets. These targets include senior government, military, and political officials, as well as civil society groups across the US, Europe and the Middle East.

CISA stresses that the attackers are not breaking the applications’ strong end-to-end encryption. Instead, they bypass it by burrowing underneath the secure apps to compromise the mobile device itself.

How Are They Doing It?

Threat actors are employing a mix of sophisticated social engineering and technical exploits.

One common method is Malicious App Impersonation. Attackers create convincing, counterfeit versions of popular apps including Signal, WhatsApp, and TikTok. By tricking users into downloading these bogus files, the embedded spyware gains a foothold to quietly steal chat data, recordings, and files.

Another tactic involves Account Hijacking. Some crews abuse messaging features, for instance, by coercing a victim into scanning a tampered QR code meant for linking devices. This action allows the attacker to secretly add a secondary, controlled device to the victim’s account, enabling them to eavesdrop in real-time.

Finally, in the most advanced attacks, threat actors utilize Zero-Click Exploits.

These complex methods leverage security flaws in the phone’s operating system or the app itself, allowing the device to compromise itself the moment a malicious message is received, requiring absolutely no action from the victim.

What Can People Do to Prevent It?

CISA urges highly targeted individuals to adopt stronger security habits to counter these threats.

Protection starts with Software Updates; regularly installing operating system and application updates is critical to patch the vulnerabilities that zero-click exploits rely on.

Users must also Enhance Authentication by moving away from easily spoofed SMS-based multi-factor authentication (MFA).

Instead, adopt FIDO phishing-resistant methods, alongside using a password manager for secure credentials.

Further steps include ensuring Secure Mobile Accounts by setting a provider PIN to protect against SIM-swap attacks.

Finally, CISA advises users to employ Device-Specific Measures for maximum defence. On iPhones, enabling Lockdown Mode is recommended, while Android users should choose phones from manufacturers with strong security track records and ensure Google Play Protect is active.

