The Meta-owned platform said on Monday that it had uncovered and stopped a series of spear-phishing attempts linked to NSO after receiving reports from users.

According to WhatsApp, the attackers tried to lure targets into clicking malicious links that directed them to websites outside the app.

“They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp,” the company wrote. “We also caught them creating test accounts and groups on WhatsApp, which we took down.”

WhatsApp said the operation shared similarities with another campaign uncovered in Jordan in 2024. In that case, victims who clicked malicious links were infected with Pegasus, NSO Group’s spyware.

Following its latest findings, Meta has asked a US federal court to hold NSO in contempt, arguing that the company breached a permanent injunction issued during a long-running case between both firms.

The court order stemmed from a 2019 hacking campaign in which more than 1,400 WhatsApp users were targeted through the platform. After discovering the breach, WhatsApp alerted affected users and filed a lawsuit against NSO.

A jury later ordered the spyware maker to pay $167 million in damages. That amount was subsequently reduced to $4 million.

The latest court filing is another chapter in an issue that has lasted several years and drawn attention to the high use of commercial spyware around the world.

NSO Group has been repeatedly cautioned over Pegasus, a surveillance tool capable of infiltrating mobile devices through so-called “zero-click” and “one-click” attacks. 

Investigations by journalists, security researchers and technology companies have linked the spyware to operations targeting journalists, activists, dissidents, human rights defenders and political opponents in several countries.

WhatsApp said it has continually exposed suspected spyware campaigns, notified victims and strengthened protections for users who may face a higher risk of digital surveillance.

Other technology companies, including Apple and Google, have also introduced additional security measures designed to help protect users from advanced spyware attacks.

Meta’s latest legal action has attracted support from civil society groups. A coalition of 12 civil rights organisations, privacy advocates and security researchers has filed court briefs backing the company’s position and urging the court to maintain pressure on NSO.

The spyware maker is also still under pressure from the US government. NSO is still listed on the US Commerce Department’s Entity List, a designation that restricts its access to American technology.

Washington has imposed similar measures on other spyware firms, including Intellexa and its founder.

In 2025, a group of US investors acquired NSO and began efforts to rebuild the company’s reputation while seeking the removal of US restrictions. However, the company remains on the Commerce Department blocklist.

The NSO Group did not respond to requests for comment on the latest allegations from WhatsApp.

This is according to new data released by global cybersecurity company, Kaspersky, shared ahead of its participation in GITEX Nigeria, one of the region’s most significant technology events taking place on September 3-4 in Lagos.

Across sub-Saharan Africa, the scale of threats is even more alarming, with 42.4 million web attacks and 95.6 million on-device attacks between January and June 2025.

Spyware cases more than doubled, password stealers increased by 64%, while backdoor infections rose 12% year-on-year.

In Nigeria alone, Kaspersky security solutions blocked 1.46 million online attack attempts during the first half of the year. Nearly one in five citizens (19.9%) were targeted, with threats ranging from phishing scams, botnets, and fake Wi-Fi networks to Remote Desktop Protocol exploits. 

Beyond web-based threats, 4.97 million on-device attacks were also intercepted, where 28.6% of Nigerian users suffered infections via USB drives, CDs, DVDs, and hidden installers. These included ransomware, worms, trojans, spyware, backdoors, and password stealers.

Phishing activity showed a mixed trend. While overall phishing detections dropped by 52%, the attacks became more focused. Financially motivated phishing, targeting banks, e-commerce platforms, and payment systems, surged by 46%. 

Kaspersky recorded more than 595,000 finance-related phishing attempts in Nigeria during the six-month period. Exploits targeting vulnerabilities in applications like Microsoft Office also remain a persistent danger.

Industrial systems are equally vulnerable. In the same reporting period, 26.5% of Industrial Control Systems (ICS) computers in Nigeria faced cyberattacks, with virus and worm infections posing serious threats to sectors such as power, construction, engineering, and biometrics. 

Africa, according to Kaspersky, records one of the highest global rates of malicious objects detected on ICS systems.

Commenting on the findings, Chris Norton, general manager for sub-Saharan Africa at Kaspersky, warned of the risks.

“Every day, more people in Africa and in Nigeria specifically are moving their businesses, banking, and even daily errands online. But with this opportunity comes a challenge. Cybercriminals are also becoming more active, targeting not only big companies and government networks, but also ordinary people, small businesses, and industrial infrastructures we depend on.”

At GITEX Nigeria 2025, Kaspersky will deliver workshops and hands-on sessions. Attendees will learn how to use real-time intelligence to detect and respond to active threats, gain insights on building a cyber-aware workforce, explore cloud container security, and participate in the Kaspersky Interactive Protection Simulation (KIPS), an exercise designed to expose common cybersecurity mistakes among decision-makers.

In its report, Kaspersky also highlighted its ongoing partnership with Nigerian institutions. Earlier in August, it signed a Memorandum of Understanding (MoU) with the Small and Medium Enterprises Development Agency of Nigeria (SMEDAN) to strengthen SME cyber resilience. Norton explained:

“Earlier this month, Kaspersky signed an MoU with the Small and Medium Enterprises Development Agency of Nigeria (SMEDAN). That agreement is about giving SMEs more knowledge to protect themselves.

“Our role at GITEX Nigeria builds on that. For us, it is about supporting Nigeria and the broader region so that digital growth goes hand in hand with digital safety.”

With the peak in cyber threats and attacks, Kaspersky’s 2025 warning report reveals cybercriminals are growing at a huge scale just as Nigeria expands its digital footprint.

Malicious apps, designed to look like everyday tools, have been quietly spying on activists, minority groups, and critics of the Chinese government.

This isn’t the typical data breach story we are used to. It’s deeper. Covert. Targeted. And deliberate.

In a joint advisory issued on Tuesday, the UK’s National Cyber Security Centre (NCSC), backed by GCHQ, revealed that two spyware software—BadBazaar and Moonshine—have been embedded inside Android apps that appear safe. 

These apps were carefully built to mirror popular tools like Telegram, WhatsApp, Adobe Acrobat, and even religious apps designed for Muslims and Buddhists.

These digital decoys were more than just annoying malware. They turned phones into portable surveillance devices—recording conversations, tracking movements, stealing photos, and reading private messages. And all of it happening without the user’s knowledge.

The spyware wasn’t scattered randomly across app stores. It had a purpose and targets.

The reports say the apps were used to zero in on Uyghur Muslims, Tibetans, Taiwanese independence activists, and supporters of Hong Kong’s pro-democracy movement and the Falun Gong spiritual group. Most of the targets live outside China, but their work or beliefs are seen by Beijing as threats to national stability.

Let’s not sugar-coat it—this is state-level digital stalking.

“These apps specifically target individuals internationally who are connected to topics that are considered by the Chinese state to pose a threat to its stability, with some designed to appeal directly to victims or imitate popular apps,” the NCSC stated.

The two spyware families seen on android apps have been previously dissected by cybersecurity outfits like Trend Micro, Lookout, and Volexity, as well as Citizen Lab, a nonprofit watchdog that has long tracked Chinese cyber activity.

BadBazaar, for instance, is known to have disguised itself as encrypted messengers and file-sharing apps. Moonshine, on the other hand, reportedly posed as a custom-built suite of tools tailored for certain targets, including Tibetans.

In total, over 100 Android apps were identified. The decoys included everything from prayer apps and language learning tools to document readers and chat platforms. One iOS app, TibetOne, even made its way to Apple’s App Store back in 2021.

Google and Apple have yet to comment publicly on whether the listed apps have been removed or how many users might have been affected.

The advisory reiterates that the tools we trust to communicate and organise can be twisted into weapons of surveillance.

Rowland Corr, Vice President of Government Relations at Enea, was one of several industry experts invited to share his expertise at the Committee of Inquiry, which consists of 38 Members of Parliament.

The PEGA Committee was formed in March 2022 by the European Parliament to investigate spyware, particularly in relation to the alleged targeting of journalists, lawyers, law enforcement officials, diplomats, and other people of influence in the EU.

Corr appeared at the Committee’s most recent hearing on March 16, 2023, and prefaced his contribution by urging the Committee to broaden its scope, highlighting the fact that other forms of spying beyond the use of spyware were steadily occurring over mobile networks that were relevant to the Committee’s concerns.

“Spyware is the tip of the iceberg in mobile telecom surveillance,” Corr commented. “Vulnerabilities in mobile networks, and governance gaps are exploited by threat actors to execute unauthorized intrusions with impunity.”

Corr also made the point that capability must be prioritized over mere compliance to combat the threat effectively, as the signaling security landscape continues to evolve over time. He continued, “This area of risk is not sufficiently understood, reported or integrated at national levels. Critical infrastructure protection, cybersecurity, and national security all intersect when it comes to mobile network security. And the key to improving resilience may lie in emphasizing capability over compliance on the part of stakeholders – be they operators, regulators, or cyber agencies.”

Recently, the potential for access to EU-based infrastructure to be used by third-country actors as a tool for surveillance, separate from the use of spyware, has increased significantly. Corr continued to impress upon the Committee the importance of looking at surveillance threats beyond the basic use of spyware tools like Pegasus and, in parallel, focus on infrastructure as a whole:

“A key area of vulnerability is mobile telecoms signaling and the abuse of access to signaling infrastructure. To put this vulnerability into context as an area of surveillance risk – the use of mobile spyware weaponizes the personal device of the victim, and the use of mobile signaling weaponizes the network serving them. Put simply, in the hands of attackers, the mobile service itself becomes the cyber weapon.”

As 5G is adopted worldwide, there is a pressing need for secure interworking between protocols, network elements (across generations) and a need for secure interconnections nationally and internationally. This represents an increasingly complex and critical area within electronic communications.

Enea has received industry recognition as a leader and innovator in mobile telecoms security for protective solutions, research into vulnerabilities, and contribution to the development of industry guidelines. As outlined by the Committee Chair, a core part of Enea’s business is securing networks and protecting subscribers worldwide against unauthorized intrusions.

The PEGA Committee was tasked with gathering information on the extent to which Member States or third countries are using intrusive surveillance to the extent that it violates the rights and freedoms enshrined in the EU’s Charter of Fundamental Rights. The Inquiry has a 12-month mandate, which parliament can extend if required. A report based on the findings of the Inquiry is set to be published later this year.

This should be a red flag for all organizations, especially with the transition to remote and hybrid working, where employees are using mobile devices more often.

These devices now have access to sensitive company data and direct connectivity to the enterprise network.

Combine that with the key ‘human error’ ingredient and you’ll see why mobile devices are such a prime target for cybercriminals. 

Despite this, many corporate cybersecurity strategies tend to focus only on traditional endpoints, such as laptops. Do you know if all the mobile devices in your organization are safe from malware? Perhaps you have Mobile Device Management (MDM) and think that’s enough?

Unfortunately, MDM does not provide intrusion detection or scan for malware. And with the mobile threat landscape constantly evolving, it’s never been more important to have a robust solution in place. Let’s take a look at the current mobile malware landscape and what you need to know to stay protected in 2022.  

Thriving spyware marketplace 

The current mobile malware landscape is a minefield with more and more vulnerabilities being exploited and spyware software being deployed. In our last security report, we noted that NSO Group’s notorious spyware, Pegasus, was wreaking havoc after it was discovered gaining access to the mobile devices of government officials and human rights activists.

Unfortunately, 2022 was no different, with Pegasus found to have compromised the devices of Finland’s Ministry of Foreign Affairs, Spain’s Prime Minister as well as multiple devices of UK officials.

In July, Apple introduced a ‘lockdown mode’ for its devices to protect against Pegasus hacks. Even though this mode will increase the security of the users who will use it, but it will also significantly reduce the user experience and limit the functionality of iPhones.

However, while Pegasus is one of the most powerful tools currently on the market, the surveillance vendor ecosystem has also become more competitive. For example, Predator, a spyware produced by commercial surveillance company Cytrox, infected iPhones towards the end of 2021 via single click links sent over WhatsApp. As of today, the reach of these tools, let alone their mechanisms, is not yet fully understood by the cyber community despite extensive research efforts. 

Zero Click Attacks

In terms of techniques, this year we have seen a surge in discovered zero-click attacks. As the name suggests these attacks require no input from the victim before deploying malware. This is because they exploit existing vulnerabilities in already installed apps, allowing threat actors to sneak past verification systems and begin their attack unnoticed.

This technique is particularly focused on applications that accept and process data, for example, instant messaging and email platforms.  

We saw this in action in April when a new zero-click iMessage exploit leveraged to install Pegasus on iPhones was discovered, running on some early iOS versions. The exploit named HOMAGE was used in a campaign against Catalan officials, journalists and activists.

It’s important to emphasize however, that this technique isn’t just a threat to world leaders but to the everyday person and organizations. Our phones are hubs of confidential data, both personal data such as banking information as well as business data, with many employees now connected to their company’s networks and data via their mobiles, which multiplied over the pandemic with thousands working from home. Cybercriminals are utilizing this silent and persistent practice to gain as much access as possible. 

Smishing attacks on the rise 

In addition to Zero Click attacks, we have also observed a continuous uplift in the spreading technique known as “Smishing” (SMS Phishing), which uses SMS messages as the attack vector for malware distribution. These attempts often imitate trusted brands or personal contacts to entice the victim to click on a link or share personal details in confidence. This method has proven particularly successful as after one device has been compromised, its entire contact list is up for grabs, creating an endless cycle of possible victims.  

This is how the infamous Flubot was commonly deployed. Since its emergence in December 2020, it has been considered the fastest growing Android botnet ever seen.

The group is known to be particularly innovative and continuously seeking to improve its variants, having claimed tens of thousands of victims.  As such, in June, an international law enforcement operation involving 11 countries led to its infrastructure being taken down and rendering the malware inactive. 

Evidently, Flubot’s position could not remain vacant for too long, as a new Android malware operation called MaliBot emerged in the wild soon after. MaliBot is targeting online banking and cryptocurrency wallets in Spain and Italy, looking to replicate the success of its predecessor. At the time of writing, MaliBot is already the third most prevalent mobile malware worldwide, despite being so new, with AlienBot taking the top spot. 

Safety on the App Store?

Many users turn to application stores to help keep their devices secure, however, unfortunately there are apps that claim to help manage security risks but which often contain malware themselves.

The most secured stores like Google Play Store and Apple App Store have thorough review processes to investigate candidate applications before they are uploaded and are held to high security standards once they are admitted onto the platforms. A recent report stated that throughout 2021, Google blocked 1.2 million suspicious applications and Apple blocked 1.6 million.

Resourceful cybercriminals continually try to bypass these security measures, though, with different tactics such as manipulating their code to pass through the filters or introduce initially benign applications and add the malicious elements at a later stage.

So, it’s not surprising to still find malicious applications hiding in these stores. In fact, these platforms remain the main infection vectors in mobile threats. For example, Check Point researchers recently analyzed suspicious applications on the Google Play Store and found a few of them masquerading as genuine Anti-Virus solutions, while in reality, once downloaded the apps installed an Android Stealer called SharkBot which steals credentials and banking information. And in February, an Android banking Trojan called Xenomorph was spotted lurking behind a fake productivity application on the Google Play Store. There were over 50,000 downloads.

It must also be noted that due to the pandemic fueling increased use of mobiles for work purposes over the last two years, leveraging mobile phones for work purposes suddenly became the new normal for many users and enterprises, which meant targeting the mobile devices became also the new normal for cybercriminals. 

Unfortunately, the general awareness of the users of mobile phones with regards to cybersecurity attacks is much lower, and even though, many of them have started leveraging their personal or work-provided mobiles for work purposes, many still do not view it as a sensitive corporate environment, being less careful of malicious emails or links they receive.  

Unfortunately, the threat landscape is evolving rapidly, and mobile malware is a significant danger to both personal and enterprise security, especially as mobile devices are vulnerable to several attack vectors, from the application to the network and OS layers.

To combat this risk, organizations should also be looking to instill proactive strategies that can keep staff and corporate data safe from a potential attack.

This must be a continuous journey as cybercriminals are relentless, always adapting and improving on their tactics. 

For mobile users themselves, we recommend additional safety measures such as downloading applications only from certified Google and Apple stores, and even while downloading them there – review the recommendations, and number of downloads of a certain application, to verify that the applications is legitimate.

Mobile users should adopt on their mobile phones, the same rules they have as on their desktop devices such as not clicking on links from unknown senders, whether it comes via email, SMS message or messaging applications, and not to download files from untrusted sources.

For some businesses it may be beneficial to employ the help of tools that fortify endpoint resilience and secure remote users. 

Check Point Harmony  for instance, uses real-time threat intelligence to actively guard against zero-day phishing campaigns, and URL filtering to block access to known malicious websites from any browser.

It also enforces conditional access, ensuring that if any device does become infected it will be unable to access corporate applications and data. Harmony Mobile achieves all of this – and more – without disrupting employees or hampering their productivity.

Whether you’re a start-up, a growing SME, or well-established business, all types of businesses should prioritise security.

A recent study by Kaspersky found that ransomware attacks in South Africa have doubled (likewise in Nigeria) when comparing January to April 2022 to the same period last year. It’s estimated that an average South African company will need to spend million to retrieve the stolen data!

Malware attacks also pose an immense threat to businesses, and these software viruses include worms, spyware, adware, and trojans that breach a network through a vulnerability.

Beyond internet security and antivirus software, what else can you do? There are a few things you need to be aware of when investing in hardware like laptops for yourself or for employees to make it more difficult for attackers to breach your systems.

1. Industry-grade screen security

You never know who is watching your screen, and some information is not meant to be seen by everyone. Although employees should be powering off machines if they are away from them, they often forget.

Look for laptops like the Acer TravelMate P6 that feature tools for mitigating this risk. The built-in Acer User Sensing technology allows for accurate detection of people based on range and movement, and keeps your data safe by locking the screen when you leave.

When you return, you can quickly log back in with the optional IR webcam that uses biometric facial recognition software, or the fingerprint reader located on the power button.

This is called Power-on-Authentication and saves you time trying to remember and enter passwords when you’re on the clock. Not only that, but the Acer TravelMate P6 has a convenient camera shutter that can be slid across the webcam for extra security.

Furthermore, its Privacy Panel obscures viewing angles beyond 90° when activated, and can be turned off whenever you need to use the full 170° wide viewing angle of the display to share and collaborate. This means no prying eyes and an extra level of privacy for your sensitive data.

Beyond screen security, the TravelMate P6 takes protection a little further and makes it particularly difficult for hackers to get into your system. It includes dTPM (discreet, Trusted performance module) hardware and makes your device basically tamper-resistant.

In other words, if someone tries to remotely unlock your laptop without authorisation, they will be met with the system drive preventing them from even booting up the device.

2. Zero-touch enrolment and security

You could also look for a device that simplifies the security process, making it easier for IT teams to initiate updates and keep all laptops secure.

The Acer ChromeBook Enterprise Spin 714 with Chrome OS enables user management and security on devices without IT teams ever having to touch them.

Chromebooks have multiple layers of built-in protection, including securing the identity of each device with no extra time needed for manual configuration, and access to enterprise-class security, without needing to pay for additional antivirus software.

This is because updates are pushed out regularly to ensure that your computer is up to date with the latest security patches. Better yet, these updates are completely non-disruptive and happen silently in the background. 

Another benefit of Chrome OS is sandboxing, a security feature that runs every program, website, or web application as a separate process in a restricted environment. So, if you accidentally open a harmful website, the threat will be contained to that site and won’t be able to affect anything else on your computer. 

3. Secure data with two-factor authentication

Two-factor or multiple-factor authentication refers to using two or more authentication methods to verify your identity.

This can be something like accessing a folder with your employee ID number, and then being required to verify again that it’s you by clicking on a confirmation email before you’re allowed in.

This is a vital step to secure access to accounts and sensitive information. It’s simple to implement and can make a significant difference, so ensure that it’s enabled.

4. Security doesn’t end with your laptop

Cybersecurity features can only protect you to a certain point. Employees need to be educated on what to avoid, how to treat suspicious content, and how to react in these situations. Stats show that 1-in-3 people will click on a phishing link.

Therefore, you need to educate your employees on the basics of cybersecurity principles, the various types of cyberattacks, and who to report it to if they suspect any malicious intent.

5. Implement VPNs for all connections

By now we know that generic security measures are still vulnerable to attacks. That’s why something like a virtual private network (VPN) connection is so handy.

It provides secure access to your company’s network, allowing your employees to work from anywhere, anytime, with reliable protection against data theft.

By encrypting data traffic, no one is able to spy on your company’s messages, emails, receipts, or even office memes. It’s the perfect barrier between the internet and the employee’s computer.

Securing your company’s personal computers, laptops and mobile devices are more important now than ever before.

Without protection, sensitive information can be easily stolen, leading to loss of confidential or customer data.

Luckily companies like Acer are paving the way with the latest innovations that plug in seamlessly with your current security solutions. Learn more about their ground-breaking laptops and visit the Acer website. 

Kenya and Nigeria saw slight increases in this threat. Security operations centers in organisations remain on alert with various cybercriminal groups continuing their activity across regions.

But how do you protect your organization from Spyware?

Kaspersky experts recommend:

1. Providing your SOC team with access to the latest threat intelligence (TI)

Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over the past 20 years.

To help businesses enable effective defenses in these turbulent times, Kaspersky announced free access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats. Request access online.

2. Upskilling your cybersecurity team to enable them to tackle the latest targeted threats with Kaspersky online training, developed by GReAT experts.

3. Using an enterprise-grade EDR solution, such as Kaspersky EDR Expert. 

It is essential for detecting threats among a sea of scattered alerts – thanks to its automatic merging of alerts into incidents – as well as to analyse and respond to an incident in the most effective way. 

4. In addition to adopting essential endpoint protection, implementing a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.

5. Introducing security awareness training and teaching practical skills to your team – using tools such as the Kaspersky Automated Security Awareness Platform, as many targeted attacks start with social engineering techniques, such as phishing.

Kenya and Nigeria saw slight increases in this threat. Security operations centers in organisations remain on alert with various cybercriminal groups continuing their activity across regions.

Spyware is a type of malware that is used to spy on a user’s actions (to track data entered by keyboard, make screen shots, retrieve a list of running applications, etc.). 

The collected information is then transmitted to the malicious user controlling the spyware through email, the web and other methods. 

Spyware can be installed on any device – desktops or laptops, servers and mobile devices and masked as regular apps for unnoticed operation. Spyware is used for espionage – to collect banking card credentials, passwords and other valuable data. 

In 2021, Kaspersky experts identified the PseudoManuscrypt spyware module targeting many industrial and government organisations. It collected VPN connection data, logged keypresses, captured screenshots and videos of the screen, recorded sound with the microphone and stole clipboard data and operating system event log data. Industrial espionage was one of the possible objectives of the campaign. Other spyware threats monitored by Kaspersky experts include such known cases as Pegasus, Chrysaor, FinSpy, CoolWebSearch, Gator.

Dynamics of users affected by Trojan Spies in the African regions were multidirectional. In South Africa, the number of users affected by Trojan Spies in Q2 decreased by 21% in comparison with Q1. In Nigeria the number of affected users increased by 12%.

In Kenya, the number of users affected by spyware remained almost unchanged with a 1% increase.

“Spyware remains one of the most popular types of malware, enabling corporate espionage or intellectual property theft. It is often used in a targeted manner, with corporate networks getting infiltrated for information collection. It is common that spyware can lead to loss of some corporate data from a device of one of the employees, but it is far more likely that the compromised employee will be used as an entry-point into the corporate network, which contains more information,” comments Emad Haffar, Head of Technical Experts, META region at Kaspersky. “One of the key characteristics of spyware is evasiveness – a competent Security Operations Center together with advanced cybersecurity solutions are required to mitigate this threat. Kaspersky Endpoint Security for Business and Kaspersky Anti Targeted Attack work well for organisations to block spyware in corporate systems.”