US cybersecurity agencies warned that multiple cyber threat actors are exploiting commercial spyware to infiltrate encrypted messaging apps used across the United States, Europe, and the Middle East by targeting high-value individuals through sophisticated social engineering and zero-click spyware techniques.
This is a growing messaging app vulnerability that continues to happen over and over.
The alert follows months of mounting evidence from global threat-intelligence firms and arrives shortly after the revelation of a massive China-linked telecom hack that compromised major US carriers.
Authorities say attackers increasingly weaponize messaging apps to gain persistent access to victims’ personal devices, deploying messaging spyware delivery, malicious payloads, and advanced exploits to bypass even end-to-end encryption protections while overwhelming modern smartphones cyber protection systems.
Early Detection of Zero-Click Spyware Threats in Messaging Apps
In its latest advisory, the Cybersecurity and Infrastructure Security Agency (CISA) said, “CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps).”
According to the agency, attackers use “sophisticated targeting and social engineering techniques to deliver spyware,” often beginning with phishing links, malicious QR codes, or impersonation of platforms like Signal and WhatsApp tactics that frequently exploit zero-click exploit chain methods and unpatched messaging flaws to compromise devices without user interaction.
These operations are not stated anyhow.
CISA notes that high value individuals current and former government, military, and political officials, as well as leaders of civil society organizations are the primary targets.
Evidence shows active campaigns stretching across the United States, the Middle East, and Europe, echoing similar findings by security researchers from Google’s Threat Intelligence Group (GTIG) and Palo Alto Networks’ Unit 42. Many of these incidents fall under the broader pattern of messaging cyber espionage, where attackers aim for long-term covert access.
Recent investigations showed Russian groups such as Sandworm and Turla exploiting Signal’s linked-device feature, enabling attackers to receive future messages “synchronously to both the victim and the threat actor in real-time without the need for full-device compromise.”
This technique often relies on a zero-click vulnerability that triggers attacks.
Additionally, this action triggers undetected spyware installation attacks included the Android-based “Landfall” spyware campaign, which embedded malicious code into images delivered via WhatsApp over several months.
One example of chain mobile device exploits working together to penetrate otherwise secure platforms.
Other operations leveraged WhatsApp vulnerabilities to deliver spyware allegedly tied to Israeli vendor Paragon, while separate campaigns such as “ClayRat” and “ProSpy” used fake Telegram channels and sham Signal plug-ins to compromise users at scale. Security analysts say these campaigns increasingly incorporate zero-click remote code execution (RCE) an attack method that allows hackers to run code on a device without any user action.
This makes RCE particularly dangerous in the context of messaging apps, where incoming files or images can trigger compromise instantly, fueling new waves of smartphones cyber espionage.
AI and Deep Learning in Encrypted Communications Security
The heightening in messaging app attacks comes just weeks after US intelligence agencies disclosed one of the largest telecom hacks in American history, carried out by China linked group Salt Typhoon. The intrusion prompted CISA, the NSA, the FBI, and international partners to publish guidance urging Americans to adopt safer mobile communication practices, including the broader use of communication data encryption.
End-to-end encryption ensures messages are readable only by the sender and recipient, screening communications from hackers, providers, and surveillance. “All things being equal, if you have the opportunity to use a platform that’s end-to-end encrypted, you should,” said Michael Hughes of Duality Technologies. Apps like WhatsApp and Signal integrate encryption by default, a key advantage over SMS and MMS, which offer no such protection.
If a device is compromised as in zero-click attacks or spyware infections hackers can access communications before encryption occurs. This is why threat analysts stress device hygiene: updating software, checking privacy settings, avoiding suspicious downloads, and verifying security features when switching phones.
RCS messaging offers encrypted capabilities on some platforms, but Apple’s implementation is not end-to-end encrypted. iMessage, though secure, does not extend its protections to Android users. Meanwhile, Facebook Messenger offers encrypted chats only in specific contexts, leaving other channels exposed.
Even so, experts agree that encryption should remain a default practice. As Trustwave’s Kory Daniels staes it, “Threat actors go where the masses go. If the masses are still using unencrypted communication methods, [bad actors] will continue to exploit the opportunity until users begin to evolve their digital behaviors.”
CISA is urging the public, especially high risk individuals, to review its updated Mobile Communications Best Practices and civil society guidance to strengthen defenses against zero-click spyware and rapidly evolving threats.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.