CISA, the US Cybersecurity and Infrastructure Security Agency, has issued a new warning that cybercriminals and state-backed hacking groups are using spyware to compromise smartphones belonging to users of popular encrypted messaging apps such as Signal, WhatsApp, and Telegram.
In an advisory released this week, CISA warns that malicious hackers are not trying to crack the end-to-end encryption used by the apps directly to secure conversations, but are instead targeting the devices themselves.
According to CISA, attackers are increasingly using a variety of techniques and technical exploits to compromise a victim’s phone, and then access the messages they have sent and received.
Techniques used by attackers, the advisory explains, include fooling users into scanning fake QR codes that secretly connect their messaging account to a device under the control of an attacker, or updates that appear legitimate but actually deliver spyware.
The most worrying and sophisticated type of attack involves exploiting “zero click” vulnerabilities that can allow a phone to be infected simply by receiving a specially-crafted malformed image or file, without the victim having to tap on anything.
Sadly, although end-to-end encryption can secure messages on their journey between two devices, and prevents snooping by anyone intercepting the communication, it offers practically no protection on the devices themselves.
Messages can be read before they are encrypted or after they are decrypted. In addition, files, photos, contacts, call history and location data can also be accessed from a compromised phone.
CISA says that it has seen evidence that hackers targeting the users of encrypted messaging apps are focusing on “high-value” targets such as those working in politics, the government, and the military. However, it notes that other organisations and individuals across the United States, Middle East, and Europe have become the subject of such attacks.
The attacks often take advantage of commercial spyware, explains CISA.
“CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications,” the agency said in its advisory. “These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”
Earlier this month, researchers at Palo Alto Networks shared details of a previously unknown commercial-grade spyware called Landfall that exploited a vulnerability in Samsung’s Android image processing library.
The vulnerability was patched by Samsung in April 2025, but not before in-the-wild attacks saw the exploit triggered automatically upon receipt of a malformed image via messaging apps like WhatsApp. The attacks allowed hackers to spy on target’s location, photos, call logs, messages, and even activate their microphone.
Meanwhile, in February 2025, Google threat researchers reported on how Russian-linked hacking groups had attempted to spy on Signal users by tricking users into linking their accounts with devices controlled by hackers. If victims fell for the ruse any future messages they sent or received via Signal would be delivered in real-time directly to eavesdroppers, without any need to fully compromise their smartphones.
CISA urges users to take steps to keep their devices secure, including ensuring that they phones and apps are kept updated against security flaws, and to avoid installing apps from unofficial websites or via links sent through messages.
The agency also warned that even messages or files that appear to come from friends or colleagues may not be trustworthy if those accounts have themselves already been compromised.
