CISA Alert: Zero-Click Mobile Spyware via QR Linking and Impersonation

CISA’s latest alert warns that multiple cyber threat actors are actively using commercial spyware to compromise users of mobile messaging applications — employing sophisticated social-engineering, zero‑click exploitation, and impersonation to gain unauthorized access to messages and to install follow‑on payloads that fully compromise phones.

Background​

CISA’s advisory describes varied tactics: phishing and malicious device‑linking QR codes that trick users into linking accounts to attacker‑controlled devices; zero‑click exploits that require no user interaction; and impersonation of trusted messaging platforms such as Signal and WhatsApp to induce victims to install fake clients or reveal credentials. The agency says current targeting appears opportunistic but shows a focus on high‑value individuals — including government, military, political officials, and civil‑society actors — across the United States, the Middle East, and Europe.
This alert sits atop a string of high‑profile mobile spyware discoveries in 2024–2025. Security researchers have documented at least two distinct delivery patterns in widespread reporting: a Samsung image‑codec zero‑day used to deliver a commercial Android spyware family called LANDFALL, and a separate zero‑click chain that abused WhatsApp and Apple image‑parsing bugs to target iOS/macOS users. Both periods of activity show attackers leveraging the automatic media‑preview behaviors of messaging apps to achieve silent infection.

---

Why this matters: the threat model explained​

Zero‑click and near‑zero‑click delivery​

A zero‑click exploit becomes active when a device automatically processes received content (for example, a message attachment or image preview) without explicit user action. That makes it especially dangerous for messaging app users because it defeats ordinary user‑centric defenses (don't click strange links). The LANDFALL campaign demonstrates how a malformed image (DNG/raw format) can be crafted to trigger a vulnerable image codec, extract in‑memory payloads, and execute spyware — all while the recipient never opens a file. Similarly, an August 2025 WhatsApp vulnerability (tracked as CVE‑2025‑55177) combined with an Apple Image I/O flaw enabled a chain that delivered spyware to Apple devices without victim interaction. Meta confirmed it notified fewer than 200 users believed to be targeted in that campaign. Zero‑click attacks like these are attractive to attackers because the infection rate among selected targets can be high while detection remains low.

Device‑linking and QR code social engineering​

Messaging apps now support multi‑device linking via QR codes and device‑pairing flows. Attackers mimic legitimate linking prompts or create malicious pages that trick users into scanning a QR code — which then attaches the victim’s account to an adversary‑controlled device. These social‑engineering flows are low‑cost, high‑impact: successful linking can let attackers read messages and receive copy of incoming/outgoing chats. CISA explicitly calls out QR‑based device linking and impersonation of messaging‑platform UI as active tactics.

Impersonation and droppers​

Beyond zero‑clicks, attackers distribute trojanized messaging clients (fake Signal, WhatsApp, or regionally popular apps) or use phishing pages and typosquatting channels to prompt users into installing malicious APKs. Campaigns like ClayRat have shown broad use of impersonation (fake app pages, Telegram distribution) to push Android spyware that abuses runtime permission flows to capture SMS and other sensitive data.

---

Technical deep dive: notable cases and verified mechanics​

LANDFALL — Samsung image codec + DNG attack chain​

• What happened: Unit 42 researchers named an Android spyware family LANDFALL that exploited a vulnerability in Samsung’s image processing library (libimagecodec.quram.so), tracked as CVE‑2025‑21042. Patches for affected Samsung One UI builds were included in Samsung’s April 2025 SMR. The exploit used crafted DNG/raw image files that contained appended ZIP archives; when the vulnerable codec parsed the file (for a preview), it triggered an out‑of‑bounds write that allowed the extraction and in‑memory execution of shared objects (b.so and l.so). The payload then manipulated SELinux policies to obtain persistence and elevated privileges.
• Capabilities observed: Once installed, LANDFALL modules were capable of broad surveillance — microphone and camera activation, collecting photos, messages, contacts, call logs, location, browser data, and arbitrary file exfiltration. Researchers found artifact uploads and telemetry indicating victims in Iraq, Iran, Turkey, and Morocco. The campaign appears targeted rather than opportunistic mass propagation, though the underlying codec vulnerability could be leveraged widely if unpatched.
• Why it mattered: Because the bug resided in a system image codec that messaging apps and OS previewers call automatically, attackers could achieve zero‑click compromise via any app that previews images. This greatly expands the attacker’s delivery surface beyond a single messaging vendor.

WhatsApp + Apple zero‑click chain (iOS/macOS)​

• What happened: In August 2025, WhatsApp patched CVE‑2025‑55177, which allowed an attacker to cause the app to process content from arbitrary URLs during linked‑device synchronization. Paired with an Apple Image I/O vulnerability (CVE‑2025‑43300), attackers used chained flaws to push content that triggered the Apple bug and enabled remote compromise of iOS/macOS devices without interaction. Meta reported sending notifications to under 200 users it believes were targeted in that operation.
• Why it mattered: This chain showed that even vendors with strong security reputations can be used as delivery vectors if their client logic allows external content to be fetched or processed without strict authorization checks. Messaging platforms’ convenience features (linked devices, auto‑preview) are an exploitable tradeoff.

ClayRat and impersonation campaigns​

• What happened: Other Android spyware — exemplified by ClayRat — uses impersonation, typosquatting pages, and Telegram or other social channels to distribute fake app packages. These droppers request privileged roles (SMS handler, accessibility services) and abuse legitimate OS capabilities to drain messages, calls, and other data. Researchers have documented hundreds of variants, multiple droppers, and widespread distribution via phishing sites and messaging channels.
• Why it matters: ClayRat and similar campaigns show the other side of the threat: user‑installs that combine social engineering with OS permission abuse, which are much easier to scale than targeted zero‑click exploits and pose substantial risk to less‑protected users and civil‑society groups.

---

What CISA recommends (and practical actions for users)​

CISA points users and organizations to its updated Mobile Communications Best Practice Guidance and targeted mitigations for civil‑society organizations. The agency’s practical advice can be condensed into immediate, medium, and longer‑term actions.

Immediate actions (apply within 24–72 hours)​

• Update your OS and messaging apps to the latest available versions. Prioritize Samsung devices that have not yet received SMR Apr‑2025 or later.
• Turn off automatic media preview in messaging apps when possible; avoid auto‑downloading attachments. This reduces the zero‑click attack surface.
• Verify linked devices: check account settings on Signal, WhatsApp, and other apps for unfamiliar linked sessions and remove any you don’t recognize. Enable notifications for new device links.

Short‑to‑medium term (1 week to 1 month)​

• Enroll devices in Mobile Device Management (MDM) for enterprise or organizational users; apply MDM controls to restrict app sideloading and disable high‑risk features for at‑risk populations.
• For high‑value individuals and civil‑society organizations, consider using a dedicated hardened device for sensitive communications and a separate burner or secondary device for routine messaging.

Hardening and operational practices (ongoing)​

• Use end‑to‑end encrypted messaging platforms and verify safety or authentication keys (e.g., Signal safety numbers) for critical contacts. While E2EE does not stop device compromise, it limits interception via network‑level attacks.
• Enforce multi‑factor authentication (MFA) where available and prefer hardware tokens for high‑privilege logins.
• Maintain an up‑to‑date inventory of devices and a patch management program; treat known exploited vulnerabilities (KEVs) as remediation priorities.

---

Practical steps for enterprise defenders and incident responders​

• Inventory and prioritize: identify Samsung devices and other mobile endpoints in the environment and flag unmanaged BYOD used to access corporate resources. Apply compensating controls where patches cannot be deployed immediately.
• Detection and hunting: search MDM and EDR logs for processes that load unexpected shared object libraries, sudden SELinux policy changes, or unusual outbound HTTPS traffic from devices. Use the hashes and indicators published by threat researchers (Unit 42 has published sample hashes and filenames).
• Compensating controls: disable media preview for managed apps, block untrusted file types at gateway or filtering layers, and restrict admin or VPN access from unpatched mobile devices.
• Incident handling: if compromise is suspected, isolate the device, capture forensic images, preserve logs, and engage mobile forensics specialists. Be prepared to reimage or replace devices that have had SELinux policy modifications or other deep persistence mechanisms.

---

Critical analysis: strengths, gaps, and systemic risks​

Strengths in the public detection ecosystem​

• Rapid vendor and researcher coordination has improved defenders’ visibility. Unit 42’s discovery of LANDFALL and public reporting on WhatsApp zero‑clicks forced vendor patches and spurred CISA action — demonstrating that coordinated disclosure and public reporting can reduce the adversary’s window.
• CISA’s KEV mechanism converts observed exploitation into an operational priority for federal agencies and provides a useful signal to the private sector to accelerate remediation. These mechanisms matter for short remediation windows and to align resources across agencies.

Remaining and structural weaknesses​

• Patch fragmentation and slow rollouts: Samsung’s April 2025 patch for CVE‑2025‑21042 demonstrates a chronic problem in Android ecosystems: staggered SMR and carrier/regional delays mean many devices remain vulnerable for months after a vendor fix. This creates a persistent large attack surface for targeted campaigns.
• Detection of zero‑click exploitation is hard: by definition, victims don’t interact with an exploit. Standard indicators (phishing links, suspicious apps) may be absent. Detection relies on telemetry, deep mobile forensics, and good MDM/EDR coverage — which many organizations and individuals lack.
• Commercialization of offensive tooling: LANDFALL is described as commercial‑grade, and the market for private‑sector offensive actors (PSOAs) continues to lower the barrier to entry. When PSOA tooling is available, non‑state actors and customers with diverse motives can purchase turnkey surveillance capabilities, widening the pool of operators. This increases risk to journalists, activists, and smaller NGOs.

Attribution and geopolitical nuance​

Public reporting links certain campaigns to operators or regions — for example, telemetry suggested victims in the Middle East for LANDFALL — but definitive attribution to a specific state or vendor often remains unresolved in public disclosures. Researchers and governments typically avoid hard attribution without legal and forensic certainty. Where attribution is stated in open‑source coverage, treat it as provisional unless substantiated by forensic evidence or official statements.

Unverified and cautionary notes​

• Be cautious with isolated CVE IDs or uncorroborated claims. Internal analyses that referenced mismatched CVE identifiers (for example, CVE‑2025‑64446 in one context) could not be independently verified at the time of review and should be treated as likely typographical or indexing errors until vendor advisories confirm them. Always cross‑check CVE identifiers against vendor PSIRTs, the National Vulnerability Database (NVD), and trusted vendor advisories before acting.

---

Long‑term recommendations for policy and product design​

• Messaging‑app designers should minimize automatic processing of untrusted content. Where previews are necessary, implement strong sandboxing, strict format filtering, and pre‑processing in hardened renderer sandboxes to prevent a single decoder vulnerability from granting code execution.
• Device manufacturers should adopt stronger memory‑safety mitigations in system libraries (image codecs, parsers) and increase the cadence of coordinated disclosure to ensure fixes are broadly and promptly deployed. Fragmented update channels (OEM, carrier) must be streamlined to reduce windows of exposure.
• Governments and procurement authorities should treat commercial spyware as a policy issue: regulate sales and exports, require transparency and auditing for lawful intercept tools, and support legal mechanisms to hold vendors and operators accountable where misuse or illegal surveillance is proven.
• Civil‑society guidance and funding: provide targeted operational security support to at‑risk NGOs, journalists, and activists — supplying hardened devices, MDM enrollment, and training on device hygiene and detection basics.

---

Quick checklist for readers (actionable, copyable)​

• Update OS and messaging apps immediately; check for vendor SMRs (Samsung) or security releases.
• Disable automatic media preview and auto‑download in messaging apps.
• Audit linked devices and revoke unknown sessions in WhatsApp, Signal, Telegram, and others.
• Avoid scanning QR codes from untrusted pages or messages; verify link targets independently before scanning.
• Enroll devices in MDM for organizational users; restrict sideloading and enforce app‑update policies.

---

Conclusion​

The convergence of commercial spyware, messaging‑app convenience features, and systemic patch distribution gaps has produced a landscape in which silent, highly intrusive compromises are not theoretical — they are occurring in the wild. CISA’s alert is a necessary, pragmatic call to action for users, civil‑society organizations, enterprises, and vendors: prioritize patching, harden media‑handling flows, limit device‑linking exposure, and invest in detection and forensic capability. At the same time, policymakers and platform vendors must confront the supply chains and market dynamics that put everyday messaging users at risk. The immediate technical mitigations are clear and achievable; the broader policy and ecosystem fixes will require sustained coordination between industry, government, and civil society.

---

Source: CISA Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications | CISA