The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned smartphone users about commercial spyware aimed at mobile messaging applications. It says tools which use ordinary cellular text messaging as a backup are particularly at risk.

According to the federal cyber defense agency, these malicious tools are often deployed through social engineering tactics that manipulate users into installing them. Once a device is compromised, the spyware can siphon off sensitive data including private messages, contact lists, and real-time location, potentially giving attackers full control of the device.

Multiple Attack Methods

CISA's warning emphasizes that while anyone can be a target, these campaigns often single out individuals in sensitive roles. Attackers are reportedly focusing on government officials, military personnel, political figures, and civil society organizations across the United States, Europe, and the Middle East.

Attackers employ a diverse toolkit to deliver this spyware. These methods range from classic phishing scams to more modern tactics, such as tricking users with deceptive QR codes that compromise their messaging accounts. Criminals also create counterfeit versions of popular encrypted messaging apps, like Signal and WhatsApp, and publish them on app stores to trick unsuspecting users.

How to Protect Yourself

CISA's updated "Mobile Communications Best Practice Guidance" first and foremost recommends sticking to applications that offer end-to-end encryption by default. For iPhone users, the agency highlights a specific vulnerability: the 'Send as SMS' setting in iMessage. As explained by Forbes, this fallback feature automatically transmits your iMessage as a standard, unencrypted text if the secure service is unavailable, leaving your conversation exposed. (Source: forbes.com)

The agency's advice, reported by Cyberscoop, also strongly discourages the use of SMS for multi-factor authentication. Because text messages are not encrypted, authentication codes sent via SMS can be easily intercepted. CISA's guidance extends to broader digital hygiene, urging users to maintain up-to-date software, enable advanced security features, such as the Lockdown Mode available on Apple devices, and be vigilant about granting app permissions, which can create unnecessary attack vectors. (Source: cyberscoop.com)

What's Your Opinion?

Have you changed your messaging habits due to security concerns? Do you believe app developers are doing enough to protect users from spyware? Is CISA's advice useful or simply stating the obvious?