A newly updated set of smartphone security guidelines from the U.S. Cybersecurity and Infrastructure Security Agency is drawing attention as threats from commercial spyware rise sharply, targeting both everyday users and those in sensitive professions. The recommendations, published under a “traffic light protocol: clear” classification, offer rare, detailed insight into how federal cyber officials believe individuals should harden their mobile devices against increasingly sophisticated attacks.
A Growing Threat to Ordinary Users
In recent months, federal cyber officials have observed what they describe as a troubling shift: once-specialized surveillance tools, traditionally deployed by state actors or high-end intelligence contractors, are becoming more widely accessible. According to a CISA alert, “multiple cyber threat actors” are actively leveraging commercial spyware to breach mobile messaging platforms including those that rely on end-to-end encryption.
This new landscape has emerged alongside reports of Sturnus spyware being used to intercept private messages sent over Signal, Telegram, and WhatsApp. Similar attacks have surfaced in local governments in the United Kingdom, and among customers of major tech and financial platforms such as Amazon, Netflix and PayPal. As spyware evolves, it increasingly bypasses the protections consumers have long assumed were impenetrable.
While high-risk individuals journalists, activists, government workers and military personnel remain primary targets, CISA warns that ordinary smartphone users may become collateral victims in broader campaigns aimed at higher-value figures.
Inside CISA’s Updated Mobile Security Guidance
CISA’s “Mobile Communications Best Practice Guidance,” newly updated and released with permission to share publicly, offers step-by-step measures for both iPhone and Android users. The guidance aims to reduce the “attack surface” the total number of digital pathways that can be exploited by malicious actors.
For iPhone users, CISA emphasizes the activation of Lockdown Mode, a feature designed to limit app and web activity in ways that frustrate sophisticated surveillance tools. The agency also advises disabling fallback SMS options to ensure messages remain fully encrypted, using iCloud Private Relay to obscure DNS queries, and restricting app permissions with particular attention to location, camera and microphone access.
Android users receive parallel measures, with additional attention to variations among manufacturers and the Android ecosystem. CISA recommends choosing devices from companies with strong security update commitments, enabling only RCS messaging systems with end-to-end encryption, setting high-privacy DNS resolvers such as Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8, and activating Chrome protections like “always use secure connections” and “enhanced protection for safe browsing.” Google Play Protect and tight permission controls round out the guidance.
The Expanding Marketplace for Commercial Spyware
Security analysts say the timing of CISA’s updated guidance is significant. The market for commercial spyware once dominated by a small number of firms has rapidly expanded, with lower barriers to entry and fewer regulatory controls. As a result, tools capable of monitoring calls, messages and network traffic are no longer the exclusive domain of nation-states.
These tools increasingly exploit vulnerabilities not only in messaging applications but also in the underlying mobile operating systems. Because many attacks rely on social engineering or minimal user interaction, even cautious users may find themselves exposed.
CISA’s alert notes that attackers may target users indirectly as part of broader surveillance efforts. A person whose communications intersect with journalists, diplomats or political figures may be compromised simply by association, underscoring the agency’s recommendation that all users adopt baseline defenses.
A Federal Push Toward Personal Cyber Hygiene
The release of step-by-step smartphone hardening instructions marks an unusual level of detail from a federal cybersecurity agency. Historically, such guidance has been directed primarily at enterprise administrators or critical infrastructure operators. By contrast, the updated document reflects a growing federal recognition that personal devices used for work, communication, and increasingly for identity verification have become essential targets in modern cyber campaigns.
CISA’s recommendations stop short of offering guarantees; no combination of settings can render a device impervious. But the agency’s guidance signals a shift in federal posture: acknowledging that spyware is no longer a niche threat, and that individual action from reviewing app permissions to enabling encrypted DNS is becoming a frontline defense in the broader cybersecurity environment.
