TL;DR: On November 24, 2025, CISA issued an alert warning that state-sponsored hackers are actively compromising Signal and WhatsApp accounts. Russian groups Sandworm and Turla are exploiting Signal's "linked devices" feature with fake QR codes. Commercial spyware called LANDFALL is hitting Samsung phones with zero-click WhatsApp exploits. Targets include government officials, military personnel, and activists across the US, Middle East, and Europe. Your end-to-end encryption won't save you if your device is compromised.
What CISA Found
The US Cybersecurity and Infrastructure Security Agency dropped a blunt warning in late November: multiple threat actors are actively targeting people who use encrypted messaging apps [1].
The attackers aren't breaking encryption. They're going around it. By compromising the device itself, they read your messages after they're decrypted on your screen.
CISA identified several active campaigns targeting "high-value individuals": government officials, military leaders, political figures, and civil society organizations across the US, Middle East, and Europe [1].
The Linked Devices Trick
Signal lets you link your phone to a desktop or tablet. Convenient feature. Also a vulnerability.
Russian hacking groups Sandworm and Turla figured out how to abuse it [2]. Here's the attack:
- You receive what looks like a legitimate QR code, maybe disguised as a group invite, security alert, or device pairing instruction [3]
- You scan it with Signal
- The QR code doesn't do what it claims. It links your account to an attacker-controlled device
- Every new message you send or receive now flows to both your phone and theirs, in real time
The attack exploits trust. The QR code might come from a compromised contact, a phishing email, or a spoofed website. Once linked, the attacker becomes a silent third party in all your conversations.
Zero-Click: Your Phone Betrays Itself
The linked devices attack requires you to scan a QR code. LANDFALL doesn't need anything from you.
LANDFALL is commercial-grade spyware targeting Samsung Galaxy devices. According to security researchers tracking the campaign, it chains together a Samsung vulnerability with a WhatsApp zero-click exploit [2].
The attack works like this:
- An attacker sends a malicious .DNG image file to your WhatsApp
- WhatsApp processes the image automatically
- The image triggers a vulnerability in how the phone handles it
- Your device compromises itself: no tap, no click, no interaction required [3]
Once LANDFALL is installed, attackers have access to your messages, files, photos, contacts, call history, and location data.
Impersonation Attacks
CISA also flagged several campaigns using fake versions of popular apps [2]:
- ProSpy and ToSpy: Android malware disguised as Signal, TikTok, and other apps, targeting UAE residents
- ClayRat: spyware distributed through Telegram channels and phishing pages
- Spoofed versions of WhatsApp, Telegram, and YouTube spreading through unofficial app stores and message links
These fake apps look legitimate. They might even work normally, while silently hoovering up your chat data, recordings, and files in the background.
Who's Being Targeted
CISA's alert specifically mentions "high-value individuals" [1]:
- Current and former government officials
- Military personnel
- Political figures
- Civil society organizations
Geography matters. The campaigns CISA documented focus on targets in the United States, Middle East, and Europe. Ukraine has been hit particularly hard by the Signal linked-devices attacks, with Russian groups targeting communications around the ongoing conflict.
But the tools don't check credentials before infecting. If you're in contact with anyone in these categories, you're a potential stepping stone.
What Encryption Can't Protect You From
Here's the uncomfortable truth: end-to-end encryption is necessary but not sufficient.
When you send a Signal message, it's encrypted from your device to the recipient's device. Nobody in between (not Signal, not your carrier, not a government) can read it in transit.
But "in transit" is the key phrase. On your phone, before it's sent and after it's received, the message exists as readable text. Spyware on your device reads it at that moment.
As CISA put it: "These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim's messaging app" [1].
The attack surface isn't the encryption. It's the device.
How to Protect Yourself
CISA points to their Mobile Communications Best Practice Guidance and their guide for civil society organizations facing limited resources [1]. Here's the actionable version:
Audit Your Linked Devices
In Signal: Settings → Linked Devices. In WhatsApp: Settings → Linked Devices. Remove anything you don't recognize. Do this weekly if you're high-risk.
Never Scan Unknown QR Codes
If someone sends you a QR code claiming to be a group invite or security verification, don't scan it. Open the app directly and handle it through the normal interface.
Enable iPhone Lockdown Mode
If you use iOS and face elevated risk, enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode). It blocks many spyware attack vectors by disabling vulnerable features.
Ensure Play Protect Is Active
On Android, verify Google Play Protect is enabled (Play Store → Profile → Play Protect). It scans for known malware, though it won't catch zero-days.
Additional Defenses
- Use FIDO2 hardware keys: Physical security keys for authentication are phishing-resistant. Attackers can't social-engineer a hardware key.
- Abandon SMS two-factor: SMS codes can be intercepted via SIM swapping or SS7 attacks. Use authenticator apps or hardware keys instead.
- Set a carrier PIN: Contact your phone carrier and set a PIN required for any account changes. This blocks SIM swap attacks.
- Update obsessively: Zero-click exploits target unpatched vulnerabilities. Install iOS, Android, and app updates the day they drop.
- Disable automatic media downloads: In WhatsApp, turn off auto-download for photos and videos. The LANDFALL attack requires WhatsApp to process the malicious image.
- Only install from official stores: Never sideload apps or install via links in messages. Every fake app CISA documented came from outside official stores.
For Journalists, Activists, and Targeted Individuals
If you work in media, human rights, immigration advocacy, or government (or you communicate regularly with people who do) you face elevated risk.
- Use separate devices: Keep sensitive communications on a dedicated phone that doesn't have your personal apps, social media, or email.
- Watch for Apple/Google warnings: Both companies notify users when they detect state-sponsored attacks. Take these seriously.
- Reboot daily: Many spyware variants don't survive device reboots. A daily restart clears some infections.
- Contact Citizen Lab if suspicious: Citizen Lab at the University of Toronto offers forensic analysis for journalists and activists who suspect targeting.
- Assume compromise for critical conversations: If it absolutely cannot leak, have it in person.
The Surveillance Ecosystem
The CISA alert fits a broader pattern. Commercial spyware makers like NSO Group (Pegasus) and Paragon Solutions (Graphite) sell device-compromise tools to governments worldwide. State actors like Russia and China run their own operations.
ICE recently reactivated a $2 million contract with Paragon for Graphite spyware, technology that does exactly what LANDFALL does: bypass encryption by compromising the device [4].
The message from CISA is clear: encrypted messaging is under active attack. Not the math. The devices holding your keys.
References
- CISA: Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications (November 24, 2025)
- The Register: CISA: Spyware crews breaking into Signal, WhatsApp accounts (November 25, 2025)
- Privacy Guides: State-sponsored spyware campaign targeting Signal and WhatsApp, CISA warns (November 26, 2025)
- Access Now: The U.S. has reactivated its Paragon contract, and it should alarm everyone