Schedule A Demo

Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users

Multiple malicious actors are actively using commercial spyware and remote access trojans (RATs) to target users of secure mobile messaging apps, most notably Signal and WhatsApp. Rather than attempting to break encryption directly, these attackers exploit the devices themselves — using social engineering, impersonated apps, spoofed QR codes, zero click exploits, and abuse of messaging app features — to infiltrate target devices and then deploy additional malware.

Several concrete campaigns have been confirmed active since early 2025. Among them: Android spyware campaigns dubbed ProSpy and ToSpy that impersonated apps like Signal or ToTok to deceive users in the United Arab Emirates, a campaign called ClayRat that used fake Telegram channels and phishing pages to trick users in Russia into installing spyware under the guise of legitimate apps (including WhatsApp, Google Photos, TikTok, and YouTube), as well as a targeted exploit chain refencing vulnerabilities in iOS and WhatsApp (CVE 2025 43300 and CVE 2025 55177) that affected fewer than 200 users. Additionally, a Samsung specific exploit (CVE 2025 21042) was used to deliver spyware known as LANDFALL to Galaxy devices in the Middle East.

The primary focus of these campaigns is “high value individuals”: current and former government, military, and political officials, as well as civil society organizations and other sensitive targets — across the United States, Europe, and the Middle East. This targeting suggests a concerted, likely state aligned effort, rather than indiscriminate mass malware proliferation.

It is recommended that at risk individuals adopt a stringent set of cybersecurity best practices. These include using end-to-end encrypted communications, enabling phishing resistant authentication methods such as FIDO instead of SMS-based MFA, using a password manager, securing mobile accounts with a telecom provider PIN, keeping device software up to date, and — for iOS users — enabling advanced protections like Lockdown Mode and iCloud Private Relay. For Android devices, recommended precautions include using hardware from manufacturers with strong security records, limiting app permissions, enabling Google Play Protect, and avoiding unofficial app sources or untrusted VPNs.

Share

Related Posts

justin-shen-uQCbc_H-xCY-unsplash

Electric motorcycles and scooters face hacking risks to security and rider safety

bw-blog_un-1764705703306-e20b4b482ce1

AI model Claude Opus turns bugs into exploits for just $2283

curated-lifestyle-8LbGqfZ8vLY-unsplash

Nearly 4,000 US industrial devices exposed to Iranian cyberattacks

Singapore

Blackwired Pte Ltd

175A Bencoolen Street,

#06-01 Burlington Square,

189650, Singapore.

Americas

Blackwired (US) Inc.


Great Northern Corp Center II,


24950 Country Club Blvd,


North Olmsted, Ohio,


44070, United States.

UK | EU

Blackwired (UK) Ltd


Caledonia House,


89 Seaward Street,


Glasgow G41 1HJ,


United Kingdom.

Copyright © All Right Reserved

Privacy Policy