The US Cybersecurity and Infrastructure Security Agency (CISA) has reported a surge in espionage activity targeting secure mobile messaging applications.
According to guidance updated on Nov 24, 2025, attackers have been observed increasingly using commercial spyware, malicious quick-response codes, and impersonation tactics to target users of applications like Signal and WhatsApp.
CISA warns that targeted individuals included government, military, political, and civil society figures across the US, the Middle East, and Europe.
The warning builds on research from the Google Threat Intelligence Group, which observed Russia-aligned actors abusing Signal’s “linked devices” feature to silently pair victim accounts with attacker-controlled devices. This technique enabled real-time message access without the need for full device compromise.
New Guidance for High-Risk Users
CISA’s updated Mobile Communications Best Practice Guidance emphasized that highly targeted individuals should assume mobile communications are at risk of interception. The agency advised enabling phishing-resistant Fast Identity Online (FIDO) authentication, reviewing linked devices frequently, and updating operating systems weekly.
CISA also recommended the following protective steps for secure-messaging users:
- Audit linked devices – Remove any device not explicitly authorized
- Avoid Short Message Service–based multi-factor authentication – SMS is unencrypted and vulnerable to interception
- Use end-to-end encrypted applications – Verify metadata policies and avoid scanning unknown QR codesEnable strong device protections – Use long passwords, hardware-based security keys, and Lockdown Mode on supported devices
- Update promptly – Apply the latest versions of operating systems and messaging apps
Google researchers also reported broader campaigns from Russia- and Belarus-aligned groups attempting to exfiltrate Signal database files through PowerShell scripts, Android malware, and post-compromise utilities. These operations suggest a growing emphasis on both remote phishing and close-access device manipulation.
“CISA strongly urges highly targeted individuals to immediately review and apply the best practices below to protect mobile communications,” the agency warned. “While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against nation-state-affiliate[d] and other malicious cyber actors.”
