U.S. Agencies Warn Commercial Spyware Targets Signal, WhatsApp, Telegram Users
Federal cybersecurity officials issued an advisory after finding multiple threat actors are using commercial spyware and social engineering to compromise encrypted messaging apps, a risk that extends well beyond intercepted messages. Ordinary users are unlikely targets, but government officials, military personnel, journalists and civil society leaders face elevated danger, and the advisory lays out immediate steps to reduce exposure.
On November 25, 2025 the Cybersecurity and Infrastructure Security Agency issued an advisory warning that multiple threat actors are actively exploiting commercial spyware and social engineering techniques to attack users of encrypted messaging apps including Signal, WhatsApp and Telegram. The alert, reflected in U.S. cybersecurity reporting, described a range of tactics that can give adversaries prolonged access to devices rather than simply intercepting messages.
According to the advisory, attackers have used malicious device linking QR codes, phishing campaigns, app impersonation and in some cases zero click exploits to bypass protections built into encrypted messaging platforms. The campaigns are notable for combining off the shelf spyware with tailored social engineering to trick targets into granting access or linking a device to an attacker controlled session.
The alert stresses that most ordinary users are unlikely to be targeted, while high value individuals such as government officials, military personnel, journalists and civil society leaders have been primary targets. CISA emphasized that successful attacks can enable sustained device access, allowing threat actors to harvest contacts, exfiltrate files and monitor communications beyond the scope of any single messaging app.
To reduce risk, the advisory recommends a set of immediate mitigations. Users and organizations should limit device linking where the app allows multiple simultaneous sessions, disable automatic media download to avoid hidden malicious content, and verify group invites and contact requests through separate channels before accepting them. The advisory also urged prompt application of operating system and app updates to close known vulnerabilities and called attention to evolving guidance from other U.S. agencies.
Security practitioners say the advisory reflects a broader shift in the surveillance ecosystem, where commercially available spyware is increasingly paired with social engineering to produce highly effective compromises. The combination makes detection more difficult and increases the stakes for those who handle sensitive information. For groups that represent vulnerable populations or oversee classified material, the implications extend to operational security and personal safety.
The advisory arrives amid ongoing debates about the sale and oversight of commercial spyware and the responsibilities of software vendors to harden their platforms. Messaging companies have long defended strong end to end encryption as central to user privacy, yet the CISA alert highlights that encryption alone cannot protect a compromised endpoint.
For now the federal guidance centers on practical hygiene and configuration changes while agencies refine broader policy responses. Users who manage sensitive communications should review their device and app settings, restrict cross device linking, and remain vigilant for unexpected contact requests or unusual behavior from colleagues and friends.
