Messaging Apps Under Siege: CISA Alert Exposes Strategic Gaps in US Cyber Defense

On November 24, 2025, the Cybersecurity and Infrastructure Security Agency issued a stark warning: commercial spyware is being used by multiple cyber threat actors to systematically target users of mobile messaging applications including Signal and WhatsApp. The alert detailed sophisticated attack methods ranging from phishing and malicious QR codes to zero-click exploits requiring no user interaction, with evidence suggesting focused targeting of high-value individuals including current and former government officials, military personnel, and civil society organizations across the United States, Middle East, and Europe.

What makes the timing significant is that the threats CISA documented span back to February 2025, revealing a nine-month delay between initial threat disclosure and consolidated public warning. The immediate catalyst appears to be LANDFALL, a previously unknown commercial-grade Android spyware family that Palo Alto Networks Unit 42 exposed on November 7. LANDFALL had operated undetected since July 2024, exploiting a Samsung zero-day vulnerability to target high-end Galaxy devices through malicious images likely sent via WhatsApp in zero-click attacks. The spyware targeted devices in Iran, Iraq, Turkey, and Morocco with capabilities including microphone recording, location tracking, and comprehensive data exfiltration. Infrastructure analysis revealed patterns similar to known commercial spyware vendors including NSO Group, Variston, and Cytrox, with possible links to Stealth Falcon, a UAE-connected threat group.

CISA added the Samsung vulnerability to its Known Exploited Vulnerabilities catalog on November 10, setting a December 1 remediation deadline. The public alert followed just 14 days later, synthesizing ten months of escalating threats. In February 2025, Google documented Russian state actors including APT44, also known as Sandworm, exploiting Signal’s device-linking feature via malicious QR codes to intercept Ukrainian military communications. In August, WhatsApp disclosed a zero-click exploit affecting fewer than 200 users including civil society members. Throughout October, security researchers identified ClayRat Android spyware targeting Russian users and ProSpy and ToSpy campaigns impersonating Signal and ToTok in the UAE.

The threat actors behind these campaigns are Russian military intelligence officers, not freelance hackers or cybercriminal syndicates. APT44, tracked as Sandworm, has been attributed by multiple governments to Unit 74455 of Russia’s Main Intelligence Directorate, the GRU. On October 15, 2020, the US Department of Justice indicted six GRU officers by name for their roles in Sandworm campaigns: Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin.

The device-linking technique has proven particularly effective because it exploits a legitimate feature of messaging apps that allows users to access their accounts on multiple devices simultaneously. When victims scan a malicious QR code disguised as a group invite or Ukrainian military app interface, they unknowingly link their Signal account to attacker-controlled devices, enabling real-time message interception without full device compromise. Two other Russian espionage clusters tracked as UNC5792 and UNC4221 have used similar techniques with tailored phishing kits, including one mimicking the Kropyva artillery guidance application used by Ukrainian armed forces. Throughout the year, a Sandworm subgroup known as Seashell Blizzard has infiltrated critical infrastructure across the US, Canada, Australia, and the UK by exploiting vulnerabilities in ConnectWise ScreenConnect and Fortinet FortiClient EMS.

While the Biden administration issued Executive Order 14093 in March 2023 restricting federal use of commercial spyware posing counterintelligence or human rights risks, the Trump administration has effectively circumvented these restrictions through enforcement rollbacks. ICE signed a $2 million contract with Israeli spyware vendor Paragon Solutions for its Graphite tool in September 2024. The Biden administration issued a stop-work order in October 2024 pending compliance review. In December 2024, Paragon was acquired by US private equity firm AE Industrial Partners for up to $900 million. On August 30, 2025, the Trump administration lifted the stop-work order and reactivated the contract.

The commercial spyware landscape was further complicated by an October 20, 2025 federal court ruling against NSO Group, the Israeli company behind the notorious Pegasus spyware. US District Judge Phyllis Hamilton issued a permanent injunction barring NSO Group from targeting WhatsApp users. However, the damages were dramatically reduced from the original jury award of $167.25 million in punitive damages to approximately $4 million total, a 97 percent reduction. Judge Hamilton ruled there weren’t enough cases involving unlawful electronic surveillance in the smartphone era to establish that NSO’s conduct was particularly egregious. NSO Group filed an appeal on November 19, 2025, just five days before the CISA alert, arguing the injunction would cause irreparable injuries.

The November 24 alert arrives as users face threats from multiple directions. Throughout late 2024, the Salt Typhoon telecommunications compromise saw Chinese hackers infiltrate at least nine major US telecom providers, prompting CISA and the FBI to recommend encrypted messaging apps like Signal and WhatsApp in December 2024. Those same platforms are now being systematically targeted by Russian military intelligence units using zero-click exploits and social engineering attacks, creating a comprehensive assault on communications security from both infrastructure-level compromise and application-level exploitation.

Nearly 100 countries now possess commercial spyware capabilities according to the National Counterintelligence and Security Center, representing a proliferating threat that extends beyond traditional nation-state actors. For high-value individuals including government officials, military personnel, journalists, and civil society activists, the CISA alert delivers a sobering message about the limits of available protection. The alert recommends reviewing Signal linked devices regularly, using disappearing messages, enabling lockdown modes on iOS and Android devices, and following CISA’s Mobile Communications Best Practice Guidance.

The fundamental challenge is that defensive warnings cannot substitute for offensive deterrence. The US government has expanded its own use of commercial spyware through vendors like Paragon while warning Americans about spyware threats. Legal remedies against companies like NSO Group result in damages reduced by 97 percent. Executive orders designed to restrict spyware use are circumvented through corporate acquisitions and enforcement rollbacks.

Russia’s GRU officers will not be deterred by better user security hygiene, and commercial spyware vendors will not stop operating because of weakened court rulings or executive orders they can circumvent. For Americans targeted by these sophisticated threats, the message has become clear: federal agencies can identify the attackers, explain the techniques, and recommend defensive measures, but stopping the threat at its source remains beyond the scope of current policy.