Attackers target mobile devices instead of attempting to break end-to-end encryption
A new alert from the U.S. Cybersecurity and Infrastructure Security Agency says hackers are using commercial spyware to compromise the phones of high-value targets and access encrypted messaging apps such as Signal and WhatsApp. The agency said the campaigns focus on exploiting device-level and account-level vulnerabilities rather than attempting to break encryption itself. CISA noted that targets include senior current and former government officials, military and political figures, and members of civil society organizations across the United States, Europe, and the Middle East.
The alert describes phishing attempts, app impersonation, malicious QR-based authentication, and zero-click exploits that require no user interaction. According to the agency, attackers can scrape device data, text messages, audio recordings, and other files, and can remain undetected on compromised phones for years.
Spyware uses initial access to expand control and load additional payloads
CISA said the attackers rely on initial device access as a starting point. Once installed, spyware can escalate privileges, pull down secondary payloads, and maintain long-term control over a victim’s activity. The agency placed these operations within a broader marketplace in which state-backed groups and cyber-mercenary companies offer toolsets designed to bypass mobile operating system defenses and access messages before or after they are encrypted.
The alert said these operations frequently rely on phishing links, malicious QR codes, and trojanized apps distributed through copycat websites and unofficial stores. The surveillance tools resemble legitimate apps and interfaces, making them difficult to identify. After installation, the impostor apps can expose chat histories, live messages, photos, microphone recordings, system information, and stored documents.
QR-based account linking exploited to add unauthorized devices
One technique highlighted by CISA involves abusing the QR-based device-linking systems used by messaging apps to log in on multiple devices. Attackers can send doctored QR codes that appear to be part of a normal authentication process. When scanned, the victim’s phone pairs with an attacker-controlled system. This allows the attacker to add their device as an authorized endpoint and silently copy incoming messages without breaking encryption.
The alert also emphasized zero-click vulnerabilities that allow attackers to run arbitrary code via crafted messages or malicious media exploiting parsing bugs in messaging apps or the underlying mobile OS. Because the malware executes silently in the background, these intrusions are difficult to detect and well-suited for long-term monitoring of high-profile targets.
Featured image credits: Tima Miroshnichenko via Pexels
For more stories like it, click the +Follow button at the top of this page to follow us.