- The Latest
  Regular reporting on government secrecy, surveillance, and the rights of reporters and whistleblowers.
  - The Classifieds
  - News Releases
- Technology
  Working open source software products to protect journalists, newsrooms, and their sources.
  - SecureDrop
  - Dangerzone
- U.S. Press Freedom Tracker
  A database of press freedom incidents in the United States.
  - Data Visualizations
  - Explore the Database
- Digital Security Education
  Digital security trainings and resources for journalists.
  - Request a Training
  - Guides & Resources
- About Us
  Protecting and defending press freedom when we need it the most.
- Our Team
  - Staff & Contributors
  - Board of Directors
- Transparency
  - Reports & Financials
  - Announcements
- Get in Touch
  - Jobs & Internships
  - Contact Us
Donate

Malware

Commercial spyware targets Signal, WhatsApp users

Published Dec. 3, 2025 Updated Dec. 3, 2025 / Dr. Martin Shelton

Header image of a laptop with a broken screen, and circuitry in the background. — Electronic Frontier Foundation (CC BY 2.0)

It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. After a few weeks of downtime, it’s Martin back at the helm. If someone shared this newsletter with you, please subscribe here. Read our newsletters in your browser.

CISA warns of attacks targeting Signal and WhatsApp users

The U.S. Cybersecurity and Infrastructure Security Agency put out an advisory that they have detected the use of “multiple cyber threat actors” using commercial spyware, as well as impersonation of encrypted messaging apps such as Signal and WhatsApp. While they don’t name names, they suggest attackers are targeting “high-value individuals, such as current and former high-ranking government, military, and political officials, as well as civil society organizations (CSOs) and individuals across the United States, Middle East, and Europe.”

What you can do

We are already aware of some of the attacks at issue from research released by Google earlier in the year. One of the most common attacks at issue leverages Signal’s “linked account devices” feature. If you’ve ever connected Signal on your mobile device to your desktop device, you have probably scanned a QR code to connect the new device to your existing account. Attackers are exploiting this legitimate QR code to trick victims into connecting their secure Signal accounts to unwanted devices.
There’s nothing to fear specifically from QR codes on their own, but if someone is pressuring you to scan a QR code, it might be worthwhile to hit pause. Whether someone’s urging you to click a link or scan a QR code, a sense of urgency is a red flag.
Journalists concerned about targeted malware now have solid options for improving the security of their devices. iPhone users can enable Lockdown Mode, and Android users can use Advanced Protection.
For more basic malware, the simplest defense is to just keep your device up to date. Read my colleague David Huerta’s post on why software updates are so important.

Updates from our team

In the U.S., everyone knows that at this time of the year, Mariah Carey’s power is at its zenith. Her capabilities are unchecked and terrifying. Therefore, the natural next step is for you to check out our guide to giving security gifts for journalists. We made some minor updates to the guide to keep up with the latest threats.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

–

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation

This year, we’ve trained over 3,000 journalists in essential digital security skills, documented 240 press freedom violations, and filed over 250 Freedom of Information Act requests and 6 FOIA lawsuits. We can’t keep this up without your help. Donate online, via DAFpay, or our other ways to give. All donations are matched, up to $75,000.