Commercial Spyware Targeting Users of Mobile Messaging Applications

Not limited to a single app or OS: These campaigns target users of multiple messaging apps (Signal, WhatsApp, Telegram, etc) on mobile platforms (Android and iOS) and may leverage platform or app vulnerabilities in addition to social engineering

How attackers exploit this vulnerability (attack vector)

1. Phishing & malicious QR / device-linking codes: Attackers send links or QR codes that, when scanned or clicked, link the victim’s account to an attacker-controlled device or persuade users to install malicious apps/dropper installers.
2. Zero-click exploits: Exploits that require no user interactions (e.g., a specially crafted message or media) can deliver spyware silently and are highly effective for targeted compromise.
3. Impersonation / trojanized apps: Attackers create malicious apps or web pages impersonating legitimate messaging platforms to trick victims into installing spyware. Once installed, spyware abuses permissions or platform features to exfiltrate data and spread to contacts.
4. Follow-on-exploitation: After initial access to an account or device, attackers deploy additional payloads (credential harvesters, persistent implants, data exfiltration modules) to deepen access and persistence

CERTVU recommend:

• Immediate update OS and Apps
• Only install apps from trusted stores.
• Turn on multi-factor / two-step verification
• Do not scan untrusted QR codes / links