On November 25, 2025, the Cybersecurity and Infrastructure Security Agency (“CISA”) issued an alert regarding advanced spyware campaigns targeting mobile devices. The warning identifies messaging apps and social media platforms as primary vectors and emphasizes the need for stronger mobile security practices by businesses large and small. Because mobile devices routinely contain personal and corporate data, the alert carries significant implications for privacy and cybersecurity compliance.

CISA highlighted spyware capable of capturing messages, emails and authentication codes; enabling remote microphone or camera activation; circumventing device security settings; and propagating through compromised messaging applications. These attacks target individuals and organizations alike, including employees with access to sensitive IT infrastructure.

Mobile spyware raises compliance risks under various privacy laws, including the California Privacy Rights Act (“CPRA”) and sector specific regulations such as the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA”). Businesses must ensure that employee devices used for work related purposes meet required security standards.  To that end, organizations should deploy Mobile Device Management (“MDM”) solutions that enforce encryption, updates and app restrictions; and Bring Your Own Device (“BYOD”) programs must include minimum security.

Moreover, spyware targeting text messages and authentication codes highlights the need for phishing resistant multi factor authentication, including hardware keys or passkeys. Companies must also evaluate messaging and collaboration platforms for security vulnerabilities and confirm adherence to encryption standards. Employees should be trained as always and as ever to recognize suspicious links, app downloads and permission requests. And incident response plans should include mobile specific investigation steps and procedures for promptly isolating compromised devices.

CISA’s alert reinforces that mobile devices are now and shall remain high value targets for threat actors. Businesses must strengthen mobile security programs, implement comprehensive device management and update privacy compliance frameworks to address evolving risks.

This publication is published by the law firm of Ervin Cohen & Jessup LLP. The publication is intended to present an overview of current legal trends; no article should be construed as representing advice on specific, individual legal matters. Articles may be reprinted with permission and acknowledgment. ECJ is a registered service mark of Ervin Cohen & Jessup LLP. All rights reserved.