CISA alerts on spyware targeting users of mobile messaging applications

CISA reports that various cyber threat actors are exploiting commercial spyware to infiltrate users of mobile messaging applications. This exploitation enables unauthorized access to these applications and the subsequent deployment of additional malware, compromising the affected mobile devices.

The advisory includes details on specific tactics and technical attributes of these attacks. It identifies the use of phishing and device-linking QR codes that connect victim accounts to threat actor-controlled devices. Zero-click exploits, which do not require any user interaction, form part of the attack methodology. There is also impersonation of messaging platforms including Signal and WhatsApp. The targeting exploits various attack vectors and techniques documented in technical analyses from Google Threat Intelligence and others.

The observed targeting behavior appears opportunistic but focuses on high-profile subjects such as current and former government, military, and political officials, alongside civil society organizations and related individuals. The geographic scope of detected activity spans the United States, the Middle East, and Europe.

The advisory states that there are updated best practice guidances available for mobile communications security and guidance tailored for civil society to mitigate spyware risks. These resources provide measures to reduce exposure to such threats.

CISA encourages users of messaging applications to consult the Mobile Communications Best Practice Guidance and the Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society documents for protecting mobile devices and communications against spyware and other cyber threats.