CISA alert draws attention to spyware’s targeting of messaging apps

The Cybersecurity and Infrastructure Security Agency warned Monday about threat groups using commercial spyware to target messaging apps, and urged users to take protective steps.

“CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps),” the agency said in a brief online notice. “These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”

The warning draws on research this year that calls attention to hackers who are mimicking popular apps to deploy Android spyware, as well as Android spyware targeting Samsung devices by sending image files over WhatsApp. The warning also piggybacks on research about Russian hackers infecting Signal accounts.

“While current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals, such as current and former high-ranking government, military, and political officials, as well as civil society organizations (CSOs) and individuals across the United States, Middle East, and Europe,” the CISA warning states.

It’s rare, but not unheard of, for CISA to warn about spyware threats. One alert dates back to 2009 from a predecessor to CISA. It has released cybersecurity advice for dealing with spyware, and placed vulnerabilities that spyware vendors have exploited on its so-called “must-patch” list for federal agencies, including the recent Samsung vulnerability.

This time, CISA directed users to mobile security guidelines and advice for civil society groups. 

Beyond the warnings about targeting messaging apps, CISA also said threat groups are using malicious QR codes and zero-click exploits, which infect users even if they don’t take any direct action themselves.