Going off message: CISA warns of sophisticated spyware attacks

How attackers bypass encrypted messaging apps with social engineering and commercial spyware

Takeaways

• Attackers increasingly use social engineering and commercial spyware to bypass encrypted messaging app defenses and eavesdrop on sensitive communications.
• New threats, such as NFC relay attacks, allow cybercriminals to hijack mobile transactions and compromise device security from a distance.
• Organizations should implement zero-trust messaging, avoid SMS-based authentication, and use additional account security measures to protect against these advanced attacks.

Encrypted mobile messaging tools enable secure data sharing for government agencies and private enterprises. Instead of attempting to break through these digital defenses, however, attackers have found a way around: Targeted social engineering paired with commercial spyware.

According to a recent alert from the Cybersecurity and Infrastructure Security Agency (CISA), cybercriminals are using malicious QR codes, zero-click exploits and application impersonation to access secure messaging platforms and steal protected data. 

Spies on the prize

As noted by the CISA alert, attackers aren't trying to gain control of secure apps such as Signal and WhatsApp. Instead, they want to go along for the ride and eavesdrop on critical conversations. Research suggests that top targets include current and former government, military and political officials, along with high-value individuals in the United States, Europe and the Middle East. 

It makes sense: Eavesdropping on military messages or listening in on civil service communications can provide valuable data for nation-state reconnaissance agencies or a substantial payout for malicious actors. 

To access secure messaging apps, attackers use tactics such as:

Phishing + QR codes

Attackers create targeted phishing campaigns that convince users to click through on malicious links or scan QR codes. These codes both compromise user accounts and link them to devices owned by attackers. The result? Cybercriminals can track and monitor all conversations across secure messaging apps, and use device access to install malware, ransomware, or advanced persistent threats (APTs). 

Zero-click exploits

Phishing and similar attack methods rely on user action — victims must click a link, scan a code, or send a message. Zero-click exploits, meanwhile, occur automatically once specific conditions are met. Consider the LANDFALL spyware, which leverages a zero-day vulnerability in Samsung's Android image processing library. 

Here's how it works: Attackers send a malformed Digital Negative (DNG) image with an embedded ZIP archive via WhatsApp. Once received, the image is sent and processed without any input from users, leading to the deployment of commercial-grade spyware on the device.

Application impersonation

Attackers are also using applications themselves to infect devices with spyware. One example is ClayRat, which uses both Telegram itself and seemingly legitimate websites to offer application "upgrades" or patches, which are actually spyware payloads. Using the default SMS handler in Android OS, ClayRat gains access to SMS, call logs, and notifications, and can also execute remote commands to take photos, make calls, send mass SMS messages, and exfiltrate data. 

Once malicious actors gain access to secure apps, they utilize commercial spyware to intercept conversations. The widespread availability of this spyware is challenging. Although the U.S. Treasury has imposed sanctions on some spyware makers, and companies like WhatsApp have filed lawsuits against spyware creators, the market is simply too big to control.

Navigating new NFC threats

The uptick of commercial spyware infections has also created "tap-and-steal" threats tied to near-field communication (NFC).

First, attackers infect target devices and collect key data. Using this information, they deploy malware that slips under defensive radar and allows the installation of malware that targets mobile operating systems and application permissions.

From the user's perspective, NFC purchases appear normal: They tap, pay, and go about their day. In actuality, installed malware has hijacked the transaction by enabling the installed NFC chip to act as one end of a relay. The other end is a second, attacker-controlled device located miles away. This allows cybercriminals to sidestep the core defensive benefit of NFC: Distance. 

Ordinarily, NFC transactions are confined to 10cm or less. By turning user devices into a relay, attackers eliminate this security control without triggering defensive actions. For CIOs and CISOs tasked with managing mobile device fleets, this creates a double whammy: Hijacked messages paired with fraudulent purchases that are hard to track and harder to stop.

Managing mixed messages

For corporate networks, these spyware attacks represent a quiet but persistent threat. If attackers can gain access to secure messaging apps or compromise NFC networks, enterprises may see IP data stolen or money fraudulently moved.

To help manage mixed messages, the CISA Mobile Communications Best Practice Guidance recommends actions such as:

Adopting a zero-trust messaging approach

While the CISA guidance suggests the use of encrypted messaging services, it also warns against implicitly trusting these apps. To avoid potential compromise, users should verify the authenticity of any group invitations, remain suspicious of any unexpected security alert messages, and report all suspicious activity through the app's support channels. 

Moving away from SMS

The guidance also recommends moving away from SMS, especially for multi-factor authentication. Because SMS is not encrypted, MFA messages may be read by attackers, who could in turn use one-time codes to access devices and install spyware.

Set a Telco pin

As noted by CISA, many telecommunications providers let administrators set additional PINs or passcodes for mobile phone accounts, and must be provided before users can complete sensitive actions, such as installing new software or porting a phone number. 

Bottom line? Encrypted messaging apps are only effective if companies know exactly who's listening. With sophisticated spyware and NFC attacks on the rise, enterprises need to prioritize zero-trust operations that reduce reliance on SMS and require additional verification to authorize critical actions.