State-sponsored spyware campaign targeting Signal and WhatsApp, CISA warns

The Cybersecurity and Infrastructure Agency (CISA) issued an alert on Monday warning of a state-sponsored spyware campaign targeting Signal and WhatsApp.

The alert mentioned several attack vectors that these threat actors use, including undisclosed zero-day vulnerabilities, malicious device-linking QR codes, and impersonation of official messaging apps. Although victim selection remains opportunistic, CISA believes these threat actors focus on high-value government, political, and military officials.

CISA cites two known campaigns targeting Signal and WhatsApp users. The first one being a Russian-affiliated remote phishing operation targeting Signal users in Ukraine. According to a Google Threat Intelligence Group blog, these attacks exploit Signal's Linked Device feature to generate malicious QR codes that pretend to serve another function.

In remote phishing operations observed to date, malicious QR codes have frequently been masked as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website. In more tailored remote phishing operations, malicious device-linking QR codes have been embedded in phishing pages crafted to appear as specialized applications used by the Ukrainian military.

WhatsApp also includes a Linked Device feature that allows its users to connect non-smartphone devices to their account, which has been exploited by hackers before. The difference lies mostly in Signal's userbase consisting of activists, journalists, and government officials. CISA states that state-sponsored threat actors may deem this demographic lucrative for remote phishing operations.

The second incident refers to a Palo Alto Group Unit 42 disclosure report on LANDFALL, a commercial spyware software that targets Samsung Galaxy devices across the Middle East. LANDFALL works by embedding itself into malicious images in .DNG format, which is then sent and executed through a known WhatsApp exploit. Notably, the photos were designed specifically to function over this application based on the filenames.

Filenames with strings like WhatsApp Image and WA000 imply attackers could have attempted to deliver the embedded Android spyware via WhatsApp. This matches earlier public reporting of similar DNG image-based exploitation through WhatsApp targeting Apple devices. Furthermore, WhatsApp researchers identified and reported a similar DNG vulnerability, CVE-2025-21043, to Samsung.

Remember that end-to-end encrypted messaging applications cannot protect you against zero-day vulnerabilities or social engineering attacks. Even if you use our recommended services like Signal, SimpleX, or Matrix, always ensure that you disable automatic image downloading and URL previews. Do not click on suspicious links or scan untrusted QR codes.

Are you still concerned about state-sponsored spyware? Consider reading our knowledge base article on common threat models such as targeted attacks. You should also review the basic security concepts of your preferred operating system or device.