Microsoft Teams Guest Chat Vulnerability

29 Dec 2025

Malware Campaigns Targeting Messaging Apps

Situation

In 2025, cybersecurity researchers and government agencies have uncovered a set of active and increasingly sophisticated spyware campaigns targeting Android (and in some cases iOS or Samsung-specific devices). Rather than exploiting weaknesses in encryption for messaging apps themselves, attackers are circumventing security by targeting the devices, tricking users into installing spyware via phishing, fake apps, or zero-day media-parsing vulnerabilities. Key campaigns recently documented include one dubbed ClayRat, which impersonates popular apps; one named LandFall, which exploits a zero-day in certain Samsung devices; and other spyware operations that mimic trusted messaging platforms like Signal or ToTok.

Problem

Attackers are leveraging social engineering and phishing: They create fake apps or websites that masquerade as legitimate, popular services (WhatsApp, YouTube, TikTok, Google Photos, etc.), often distributed via unofficial channels such as messaging-app links or Telegram channels. These fake apps encourage users to sideload (Android Package Kit) APK files bypassing official app store protections. Some spyware uses “session-based” installation flows, designed to work around modern Android security restrictions (Android 13+), reducing user suspicion and avoiding common runtime permission prompts. In more advanced attacks, attackers exploit zero-day vulnerabilities in device firmware or OS components. For example, a critical out-of-bounds write in the image-processing library of certain Samsung Galaxy devices (CVE-2025-21042). By embedding malicious payloads in seemingly innocuous images (e.g., DNG files), the attacker can achieve remote code execution and device compromise, often requiring no user interaction (“zero-click”). Spyware goes beyond theft of data, once installed, it frequently requests privileged roles, giving it broad access to SMS, call logs, notifications, contacts, camera and more, enabling surveillance, exfiltration, and further spread.

Risk & Impact

Devices compromised by spyware enable attackers to read sensitive data; SMS, call logs, contacts, device info, notifications, and even take control to make calls, send SMS, take photos, exfiltrate data. Once inside, attackers can compromise messaging-apps, intercepting messages, hijacking accounts (e.g., via linked-device features), defeating the confidentiality even of end-to-end encrypted apps. Compromised devices may be turned into distribution hubs, sending malicious links to all contacts, rapidly propagating infection at scale. For high-value individuals (officials, activists, journalists), spyware might facilitate espionage, surveillance, blackmail, or broader infiltration of networks, communications, and contacts. The use of zero-day exploits like those in LandFall indicates threat actors increasingly can bypass standard user-level safeguards, making even cautious users vulnerable if their devices are unpatched.

Mitigation/Prevention

Mitigating this evolving spyware threat requires a combination of device hygiene, user awareness, and system hardening:

  • Only install apps from trusted sources (official app stores), avoid sideloading APKs from unverified links, Telegram channels, or suspicious websites.
  • Keep device OS, firmware, and applications updated promptly, especially security patches from device manufacturers (e.g. Samsung) and app developers.
  • Use additional security layers: enable protections such as “Enhanced Protection / Safe Browsing” (on Android), enable device-level security settings, use vetted antivirus / mobile-security tools.
  • For highly targeted individuals or high-risk users: consider multi-factor authentication methods resistant to SIM-SMS intercepts, avoid SMS-based MFA when possible, and limit use of untrusted networks or file transfers.

Indicator’s of Compromise (IOC’s)

From the investigations so far, the following IOCs / suspicious behaviors have been documented:

  • Presence of APKs or apps that claim to be updates for popular apps (WhatsApp, TikTok, YouTube, Google Photos), especially when distributed outside official app stores (e.g. via Telegram channels or phishing sites).
  • Use of phishing portals mimicking official service pages, with fake user reviews/download counts, or “Play Store style” (Used Interface) UI prompting sideloading.
  • When spyware is active: device behaviors like unexpected permission requests (e.g. becoming default SMS handler), unexplained SMS or calls sent, unusual camera activation, data exfiltration traffic to command-and-control (C2) servers.
  • For zero-day exploits: presence of suspicious image files (e.g. DNG images) in received media, especially via messaging apps (e.g. attachments via WhatsApp), possibly triggering unexpected crashes or anomalous behavior.
  • Network traffic to unknown C2 domains, especially if encrypted or obfuscated; in the case of ClayRat, some samples embed a recognizable marker (“apezdolskynet”) within base64-encoded payloads.
Links
https://www.theregister.com/2025/11/25/cisa_spyware_gangs/
https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/
https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
https://www.bleepingcomputer.com/news/security/new-android-spyware-clayrat-imitates-whatsapp-tiktok-youtube
https://www.clearphish.ai/news/android-spyware-clayrat-whatsapp-tiktok-youtube-espionage-2025
https://en.wikipedia.org/wiki/Sideloading
Note: this component is only available for the blocks: platinum