CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp accounts, hijack devices, and quietly rummage through the phones of what the agency calls “high-value” users.

In an alert published Monday, the US government’s cyber agency said it’s tracking multiple miscreants that are using a mix of phishing, bogus QR codes, malicious app impersonation, and, in some cases, full-blown zero-click exploits to compromise messaging apps which most people assume are safe.

The agency says the activity it’s seeing suggests an increasing focus on “high-value” individuals – everyone from current and former senior government, military, and political officials to civil society groups across the US, the Middle East, and Europe. In many of the campaigns, attackers delivered spyware first and asked questions later, using the foothold to deploy more payloads and deepen their access.

“CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications,” the agency said. “These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”

The campaigns CISA flags in its bulletin show attackers doing what they do best: sidestepping encryption entirely by spoofing apps, abusing account features, and exploiting the phones underneath them.

For example, Google’s Threat Intelligence Group in February detailed how multiple Russia-aligned crews, including Sandworm and Turla, attempted to snoop on Signal users by abusing the app’s “linked devices” feature. By coaxing victims into scanning a tampered QR code, the operators could quietly add a second, attacker-controlled device to the account. Once paired, new messages flowed to both ends in real time, letting Moscow’s finest eavesdrop.

CISA also pointed to a separate line of Android exploitation work, spearheaded by Palo Alto Networks’ Unit 42, in which commercial-grade spyware known as LANDFALL was delivered to Samsung Galaxy devices. Uncovered earlier this month, this campaign combined a Samsung vulnerability with a zero-click WhatsApp exploit, allowing operators to slip a malicious image into a target’s inbox and have the device compromise itself on receipt.

Not all the activity relied on exploits. Several of the campaigns CISA cites – including ProSpy and ToSpy – made headway by impersonating familiar apps such as Signal and TikTok, hoovering up chat data, recordings, and files once it landed on a device. Meanwhile, Zimperium’s researchers identified ClayRat, an Android spyware family that has been seeded across Russia via counterfeit Telegram channels and lookalike phishing sites masquerading as WhatsApp, TikTok, and YouTube.

CISA’s alert lands amid heightened scrutiny of commercial spyware vendors. The US recently barred NSO Group from targeting WhatsApp users with Pegasus, and earlier this year, the US House of Representatives banned WhatsApp from staff devices after a string of security concerns. This move reflects the uncomfortable reality behind CISA’s warning: attackers aren’t breaking encrypted messengers, they’re simply burrowing under them. ®