Spyware Abuse of Signal and WhatsApp Targets High-Value Officials

A new advisory based on CISA reporting highlights how multiple threat actors are abusing Signal and WhatsApp features to deploy commercial spyware against current and former senior government, military, and political officials. Attackers exploit linked device workflows and malicious QR codes to silently attach victim accounts to attacker-controlled infrastructure, mapped to MITRE ATT&CK T1566 (Phishing), T1204 (User Execution), and T1078 (Valid Accounts). Once linked, adversaries can monitor messages, exfiltrate chat history, and pivot into broader device compromise without fully exploiting the underlying smartphone. The campaigns rely on social engineering and fake upgrade prompts for popular messaging apps such as Signal and WhatsApp, including fraudulent apps that masquerade as legitimate updates. In parallel, zero-click exploits are reportedly used against some high-value targets, requiring no user interaction to install spyware. Research cited by CISA and Google documents Russian-aligned espionage groups that trick victims into scanning malicious QR codes, linking their Signal account to attacker devices which receive messages in parallel. Other Android spyware families pose as Signal variants, harvesting documents, chat backups, contacts, and media once installed. The business and geopolitical impact is significant: compromised messaging accounts at senior levels can expose diplomatic negotiations, military planning, legal strategies, and civil society operations. Even where message content is encrypted, attackers that hijack linked devices effectively bypass end-to-end encryption by reading messages at the endpoint. This raises acute risks for human-rights organizations, journalists, NGOs, and government staff who rely on secure messaging to protect sources and sensitive data. It also reinforces concerns about commercial spyware markets and their use by authoritarian regimes despite ongoing sanctions and litigation. Mitigation involves tightening mobile security baselines: enforcing OS and app patching, disabling unnecessary linked devices, and scrutinizing QR code-initiated sessions. Organizations should publish clear guidance discouraging sideloaded or unofficial app versions, mandate MDM-based controls on high-risk handsets, and enable secure backup and remote wipe. For high-value individuals, consider dedicated secure devices with stricter profiles, routine forensic review, and clear incident escalation paths when suspicious login prompts or new device links appear.