State-Backed Hackers Are Targeting Signal and WhatsApp With Spyware

The U.S. cybersecurity agency CISA has issued a warning that state-backed hackers and cybercriminal groups are increasingly using spyware to target users of encrypted messaging apps like Signal, WhatsApp, and Telegram. The attackers are not trying to break the apps’ encryption directly — instead they compromise the user’s phone itself, making encryption irrelevant.

These campaigns are especially dangerous because they exploit a range of sophisticated techniques:

• Fake QR-codes that trick users into linking their account to an attacker-controlled device.
• Malware disguised as app updates or innocent files — including “zero-click” exploits that infect a device without any action required from the user.
• Once installed, spyware can read messages, view photos, call history, contacts, location data — anything on the device, including conversations despite end-to-end encryption.

Targets tend to be “high-value individuals” — politicians, government or military officials, journalists, activists — but ordinary users are not immune. According to the advisory, once spyware is on a device, attackers can deploy additional payloads, deepening the compromise and even hiding traces.

To stay safe, CISA recommends:

• Keeping devices and apps updated so known vulnerabilities are patched. Bitdefender+1
• Avoid installing apps or updates from unofficial sources or links sent via messages. theregister.com+1
• Avoid scanning unknown or suspicious QR codes, even if they look like legitimate device-linking requests. Cybernews+1
• Be cautious about unexpected files or images, and disable automatic media/image downloading or previews — especially in WhatsApp, Signal, or Telegram. Privacy Guides+1

CISA emphasizes that while end-to-end encryption protects data in transit, it does not protect data on a compromised device. Once spyware infects a phone, attackers can bypass all encryption and access everything.