CISA Issues Urgent Spyware Warning For iPhone And Android — How To Secure Your Smartphone Today (November 28, 2025)

America’s top cyber defense agency has issued an unusually blunt warning: sophisticated spyware campaigns are now actively targeting iPhone and Android users through popular messaging apps like Signal, WhatsApp, Telegram and standard SMS. In response, the Cybersecurity and Infrastructure Security Agency (CISA) has updated its mobile security playbook and is urging people—especially high‑risk users—to lock down their smartphones immediately. ^[1]

A new Forbes report highlights that CISA’s guidance isn’t just theoretical. It translates into concrete, step‑by‑step settings changes for both iOS and Android designed to make your device much harder to compromise. ^[2]

Below is what’s happening, why it matters on November 28, 2025, and how to harden your own smartphone today.

A rare federal warning about smartphone spyware

This week’s headlines all point in the same direction: mobile spyware has gone mainstream as a tool of espionage and surveillance.

In an alert published earlier this week, CISA said multiple threat actors are abusing commercial spyware and remote‑access trojans (RATs) to break into encrypted messaging apps. These campaigns rely heavily on social engineering and technical tricks like device‑linking QR codes, spoofed apps and so‑called zero‑click exploits that can infect a device without the victim tapping anything. ^[3]

According to coverage from outlets including Cybersecurity Dive, The Hacker News and other security reporters:

Attackers send QR codes that silently pair a victim’s phone to an attacker‑controlled computer, taking over the messaging session. ^[4]
Zero‑click vulnerabilities in mobile operating systems and apps are being chained to drop spyware with no visible sign of compromise. ^[5]
Fraudulent apps pose as “secure” updates to Signal, WhatsApp and other private messengers, but actually install spyware that can read messages, track location and exfiltrate files. ^[6]

CISA stresses that the most intensive activity is currently aimed at high‑value targets—government and military officials, political figures, and members of civil‑society groups such as human‑rights organizations. But the underlying techniques (phishing, malicious QR codes, fake apps, abused linked‑device features) work just as well on ordinary users. ^[7]

In other words: even if you’re not a minister or a diplomat, this warning is still about you.

Inside the new spyware campaigns targeting messaging apps

CISA’s alert pulls together several investigations from security researchers and threat‑intel teams to show how wide the problem has become. ^[8]

Some of the campaigns highlighted include:

1. Hijacking Signal accounts via linked devices

Russia‑aligned threat actors have abused Signal’s linked‑device feature, which lets you connect your phone to a desktop client. By tricking victims into scanning a malicious QR code, attackers can add their own device as a linked client and silently read messages. ^[9]

2. ProSpy and ToSpy: fake secure apps

Two Android spyware families, ProSpy and ToSpy, masquerade as popular secure messengers such as Signal or ToTok. Once installed, they maintain persistent access, harvest contacts, steal messages and send data back to command‑and‑control servers. These campaigns have heavily targeted users in the United Arab Emirates. ^[10]

3. ClayRat: Telegram channels as an infection pipeline

The ClayRat spyware campaign uses Telegram channels and phishing pages that impersonate well‑known apps like WhatsApp, Google Photos, TikTok, and YouTube, luring victims into installing Trojanized APKs. Once on the device, the malware steals data and monitors communications. ^[11]

4. Chained Apple + WhatsApp zero‑days

One targeted campaign likely chained an Apple ImageIO zero‑day (CVE‑2025‑43300) with a WhatsApp flaw (CVE‑2025‑55177) to compromise fewer than 200 users. Apple patched the ImageIO bug in August 2025, and CISA later added it to its Known Exploited Vulnerabilities (KEV) catalog after confirming in‑the‑wild abuse. ^[12]

5. LANDFALL: spyware hidden inside images on Samsung devices

For Android users—especially Samsung Galaxy owners—the most striking case is LANDFALL, a commercial‑grade spyware family discovered by Palo Alto Networks’ Unit 42.

Researchers found that malformed DNG image files, often with file names implying they were WhatsApp images, exploited a Samsung image‑processing vulnerability tracked as CVE‑2025‑21042. The bug allowed a likely zero‑click infection chain that installed LANDFALL and granted it elevated permissions. ^[13]

CISA subsequently added CVE‑2025‑21042 to its KEV catalog and warned that the flaw had been exploited in the wild months before Samsung patched it in April 2025. ^[14]

Once installed, LANDFALL can:

Record audio
Track location
Steal photos, contacts and call logs
Maintain stealthy persistence on the device ^[15]

All of these examples reinforce a crucial point CISA and multiple outlets are hammering home: spyware operators are no longer trying to “break” encryption. Instead, they target the phone itself—the endpoint where encrypted messages are created and read. ^[16]

CISA’s updated mobile security playbook

CISA’s new Mobile Communications Best Practices guidance, originally developed in response to China’s “Salt Typhoon” espionage campaign, has now been broadened to cover a wider range of targets and updated for this year’s wave of mobile spyware. ^[17]

Multiple reports (including Cybernews, Computerworld, Digital Information World and The Hacker News) all converge on the same core advice. ^[18]

Core recommendations for everyone

Regardless of whether you’re a high‑profile target or not, CISA says you should:

Use end‑to‑end encrypted (E2EE) messaging apps
Prefer apps like Signal or WhatsApp that offer true E2EE. Standard SMS and many basic messaging apps are not encrypted at all. ^[19]
Stop relying on SMS for security codes
Attackers can intercept text messages via telecom compromises or SIM‑swap attacks. Use authentication apps (e.g., Microsoft/Google Authenticator) or hardware security keys (FIDO/passkeys) instead. ^[20]
Adopt a password manager
Tools such as 1Password, Bitwarden, Apple Passwords or Google Password Manager generate strong, unique passwords and alert you to breaches. ^[21]
Set a carrier PIN
Add a PIN to your mobile carrier account to make SIM‑swap attacks much harder. ^[22]
Keep phones and apps fully updated
Enable automatic updates and periodically check that the latest OS and security patches are installed. Spyware campaigns repeatedly abuse patched vulnerabilities in users who lag behind. ^[23]
Consider newer hardware
Older phones often cannot support the latest security features, even if they still receive OS updates. CISA advises choosing manufacturers with strong update track records and long‑term support—mirroring Android’s own “Enterprise Recommended” guidance. ^[24]
Be extremely wary of QR codes and unexpected security alerts
Don’t scan group‑invite QR codes from unknown sources, and treat in‑app “security alerts” requesting codes or PINs as suspect until verified via a separate channel. ^[25]

Extra protections for high‑risk users

For highly targeted individuals—officials, journalists, activists, political staff—CISA goes even further: ^[26]

Assume all communications can be intercepted or manipulated.
Use only E2EE communications wherever possible.
Enable phishing‑resistant authentication (FIDO / passkeys).
Avoid personal VPNs for day‑to‑day mobile browsing; CISA notes they can introduce new trust and tracking risks, and often don’t protect against sophisticated spyware. (Employer‑mandated corporate VPNs are a separate case.) ^[27]
Turn on message expiration / disappearing messages for highly sensitive chats, consistent with any legal or retention obligations. ^[28]

Step‑by‑step: lock down your iPhone

For iPhone users, CISA’s recommendations—echoed by recent coverage in Computerworld, Forbes summaries and DIW—focus on tightening Apple’s built‑in privacy features and fully committing to encrypted messaging. ^[29]

1. Turn on Lockdown Mode (for high‑risk users)

Go to Settings → Privacy & Security → Lockdown Mode and enable it if you’re at elevated risk.
Lockdown Mode restricts many attack surfaces (attachments, certain web features, some services) to make zero‑click exploits significantly harder. ^[30]

2. Disable SMS fallback

In Settings → Messages, toggle off the option that allows messages to be sent as standard SMS when iMessage isn’t available.
This pushes more conversations into fully encrypted iMessage rather than unencrypted text. ^[31]

3. Use iCloud Private Relay or encrypted DNS

Enable iCloud Private Relay (if available on your plan), which masks IP addresses and encrypts DNS queries for Safari.
Alternatively, configure encrypted DNS (such as Cloudflare 1.1.1.1, Google 8.8.8.8 or Quad9 9.9.9.9) at the Wi‑Fi or system level. ^[32]

4. Audit app permissions regularly

Go to Settings → Privacy & Security and review which apps can access your location, microphone, camera, photos and contacts.
Revoke any permission that isn’t truly necessary—spyware and malicious apps often hide behind over‑broad permissions. ^[33]

5. Harden your Apple ID and iCloud

Turn on two‑factor authentication using an authenticator app or security key where possible.
Review trusted devices and remove any you don’t recognize.
Use a strong, unique passphrase stored in a password manager. ^[34]

Step‑by‑step: lock down your Android phone

Android’s openness is a strength and a risk—it gives you more flexibility but also more room for mistakes. CISA’s guidance and multiple independent write‑ups emphasize a few key areas. ^[35]

1. Choose secure hardware

Prefer phones from manufacturers with strong security reputations and five‑year update commitments, such as devices on Google’s Android Enterprise Recommended list. ^[36]
Avoid older or rarely updated models; many modern spyware chains target outdated firmware.

2. Enable RCS only with encryption

Use Google Messages with end‑to‑end encryption enabled for RCS chats; otherwise, stick to fully encrypted apps like Signal.
CISA and independent analysts note that RCS support is still evolving, and unencrypted RCS should be treated like SMS. ^[37]

3. Configure Private DNS / encrypted DNS

In Settings → Network & internet → Private DNS, choose a provider that supports encrypted DNS (for example, Cloudflare, Google or Quad9). ^[38]

4. Harden Chrome and browsing

In Chrome, enable “Always use secure connections” to force HTTPS and switch on Enhanced Safe Browsing to help detect phishing and malicious downloads. ^[39]

5. Confirm Google Play Protect is running

Open Google Play Store → Play Protect and ensure scanning is enabled.
Avoid sideloading APKs or using third‑party app stores unless absolutely necessary. Many of the campaigns CISA highlighted involve malicious apps outside official stores. ^[40]

6. Review app permissions with Permission Manager

Go to Settings → Apps → Permission Manager and remove location, camera, microphone and SMS access from apps that don’t need it.
Pay special attention to any messaging, “utility” or unknown apps with extensive permissions. ^[41]

7. Use Android’s advanced protection modes (where available)

Some Android builds now include “Advanced Device Protection” or similar high‑security profiles that disable risky features, enforce stricter network controls and enhance safe browsing. Enabling these can significantly raise the bar for attackers. ^[42]

What this means for everyday smartphone users

Taken together, the latest reporting and CISA’s own alerts paint a clear picture:

Spyware is no longer rare. Commercial tools and sophisticated exploit chains have made it easier for governments and mercenary outfits to target specific phones at scale. ^[43]
Encrypted apps are still essential—but not sufficient alone. Attackers aim at the device and the user, not the encryption algorithms. If they control your phone, they control your messages. ^[44]
Basic hygiene makes a huge difference. Keeping devices updated, avoiding shady links, not installing random apps and tightening permissions will block a large percentage of real‑world attacks. ^[45]

CISA’s updated guidance is not a magic shield—but it does represent a realistic path to dramatically reducing your risk, especially when combined with good digital habits.

FAQ: CISA’s iPhone and Android spyware alert

1. Does this mean Signal, WhatsApp or Telegram encryption is broken?

No. The campaigns highlighted by CISA go after your device, not the cryptography. They hijack accounts through linked devices, exploit OS or app vulnerabilities, or trick users into installing fake apps. The underlying encryption protocols remain intact, but that doesn’t help if the attacker is effectively “sitting on your phone.” ^[46]

2. I’m not a politician. Do I really need to worry?

You are less likely to be targeted by zero‑click spyware than a minister or activist, but many of the same techniques—phishing, malicious QR codes, fake updates—are used in more routine cybercrime as well. Applying CISA’s best practices (E2EE, strong authentication, cautious app installs) is a smart baseline for everyone. ^[47]

3. Should I stop using SMS altogether?

For sensitive conversations, yes—CISA explicitly warns against relying on unencrypted text messages, particularly for high‑risk users. Use encrypted messaging apps instead, and avoid SMS for login codes where possible. For mundane, low‑risk messages (delivery notifications, one‑time PINs you can’t change), SMS will probably remain part of life, but treat it as insecure by default. ^[48]

4. Is using a personal VPN on my phone still a good idea?

CISA’s updated guidance is surprisingly skeptical about personal VPNs on mobile. The agency notes that many consumer VPNs simply shift trust from your internet provider to a VPN company whose practices may be opaque, and they do not meaningfully protect against sophisticated spyware. If your employer requires a corporate VPN, follow their policy, but don’t assume a personal VPN will stop targeted attacks. ^[49]

If you make just a handful of changes today—switch to encrypted messaging, upgrade authentication, audit permissions and keep your system patched—you’ll be far closer to the “hardened” smartphone CISA envisions in its latest guidance.

Samsung Security Flaw: CISA Adds Critical Android Spyware Threat to List

Watch this video on YouTube.

References