Why it matters: Hackers are bypassing encryption used in messenger apps by compromising the phones and convenience features like QR-based sign-ins. The latest campaign targets high-value targets. The attacks have scraped device data, text messages, and even audio recordings. Their techniques require no user interaction and can remain hidden for years.
The US Cybersecurity and Infrastructure Security Agency warns that hackers are actively targeting Signal, WhatsApp, and other encrypted messaging apps with commercial spyware that exploits specific phones and account vulnerabilities. The alert describes phishing attempts, app impersonation, and zero-click exploits aimed at high-value users, often using commercial toolsets comparable to those used by nation-states. The CISA says targets include senior current and former government officials, military and political figures, and members of civil society organizations in the United States, Europe, and the Middle East.
These campaigns use initial access on a device as a starting point rather than the end goal. Once on a phone, spyware acts as a loader, pulling down additional payloads, raising privileges, and maintaining long-term control over the victim's data and activity. The CISA places this within a broader shift in which state-backed groups and for-hire cyber-mercenary companies sell tools intended to bypass the defenses people expect from modern mobile operating systems and end-to-end encrypted apps.
The alert notes that the attackers have the same basic approach. Instead of trying to break the apps' encryption, they compromise the app layer or mobile OS to read messages before or after encryption. Typical delivery methods include phishing links, malicious QR codes, and trojanized apps, often paired with zero-click exploits that trigger without user interaction.
Once installed, the spyware can access chat histories and live messages, capture recordings and files, and in some cases turn the phone into a general surveillance device, collecting location data, call logs, contacts, and other documents. One technique the CISA describes involves abusing device-linking and QR-based authentication that messaging apps use to log in to multiple devices. By sending doctored QR codes that mimic a standard login or linking step, attackers can force a phone to pair with systems they control.
That pairing allows the attackers to add their device as an authorized endpoint on the victim's account, silently copying new messages without breaking the underlying encryption or noticeably taking over the account. The same operations also rely on phishing and installing fake updates or clones of trusted apps and services. The hackers distribute their malicious apps through links, copycat websites, and unofficial stores that use familiar branding and interfaces to appear legitimate.
The impostor apps act as surveillance tools, exposing messaging data, microphone recordings, stored files, photos, and system information, helping operators track and profile the user. The CISA also highlights zero-click vulnerabilities. The attackers can run arbitrary code by using carefully crafted messages or malicious media that exploit parsing bugs in various apps or the device's OS. The malware works in the background without user interaction, so the intrusion is extremely hard to detect, making it well-suited for quiet, long-term monitoring of high-profile targets.
New CISA alert: encryption isn't what's failing on Signal and WhatsApp
