The Encryption Illusion: Why Your “Secure” Messaging Apps Aren’t Protecting Your Business Data

“We use Signal. We’re secure.”

If that sentence sounds familiar, your organisation has a problem. Not because Signal isn’t secure – it is – but because end-to-end encryption has become the most dangerous security blanket in enterprise IT.

In February 2025, Google’s Threat Intelligence Group revealed that Russian state hackers had successfully compromised Signal accounts without breaking a single line of encryption. In November 2025, CISA issued a national alert warning that threat actors were actively exploiting WhatsApp, Signal, and Telegram to deliver spyware to high-value targets. The attacks work because encryption protects the message. But the device? That’s another story entirely.

Your employees are having sensitive business conversations on messaging apps right now. Here’s why that should worry you – and what the attackers know that you don’t.

The Security Theatre of End-to-End Encryption

End-to-end encryption creates a mathematically secure tunnel between sender and recipient. Messages travelling through this tunnel are, for all practical purposes, unbreakable. This is a genuine security achievement.

But here’s what the marketing doesn’t tell you: encryption protects messages in transit. It does absolutely nothing to secure the devices at either end of that tunnel.

Think about it this way: a message is encrypted the moment it leaves your employee’s phone and decrypted the moment it arrives at the recipient’s phone. Between those two points? Mathematically impenetrable. At those two points? Completely readable – because the message has to be readable for humans to use it.

Modern threat actors don’t attack the encryption. They attack the endpoints. And they’ve developed remarkably sophisticated methods to do it.

Four Ways Attackers Bypass “Secure” Messaging

1. The QR Code Hijack: Real-Time Message Duplication

This is the technique that made Google’s Threat Intelligence team issue an urgent warning in February 2025.

Signal, WhatsApp, and Telegram all allow users to link additional devices to their accounts. You scan a QR code, authorise the connection, and messages synchronise across your phone, tablet, and computer. It’s convenient. It’s also a vulnerability.

Russian threat actors – including the infamous Sandworm group (APT44) – have developed an attack that works like this:

• The attacker creates a malicious QR code disguised as a legitimate Signal group invite, a security alert, or a device pairing instruction
• The victim scans the code, expecting to join a group or confirm a security check
• Instead, the QR code silently links an attacker-controlled device to the victim’s account
• From that moment on, every message the victim sends or receives is delivered to the attacker in real-time

The attack requires no malware. No device compromise. No breaking of encryption. The victim’s phone continues working normally – they have no idea their secure conversations are being duplicated to hostile infrastructure.

Google’s report revealed something even more alarming: Russian forces have used this technique on Signal accounts from devices captured on Ukrainian battlefields, linking them back to intelligence servers for follow-on exploitation. If it works on military targets, it works on corporate targets.

2. Zero-Click Exploits: No Interaction Required

The Landfall campaign, tracked by Google and other security researchers through late 2024 and early 2025, represents a different category of threat entirely.

The attack vector? A malformed image sent via WhatsApp.

The victim doesn’t need to click anything. They don’t need to open the image. They don’t need to do anything at all. Simply receiving the message triggers automatic exploitation of a vulnerability in how Samsung devices process certain image formats.

Once triggered, the Landfall spyware grants attackers access to:

• Real-time location data
• Complete photo libraries
• Call logs and contact lists
• All messages – encrypted or not
• Remote microphone activation

The encryption between sender and recipient remained mathematically intact throughout the attack. It simply didn’t matter – the attacker was reading messages after they’d been decrypted for display on the victim’s screen.

3. Accessibility Abuse: Reading Over Your Shoulder

In November 2025, security researchers at ThreatFabric documented a new Android malware family called Sturnus that takes a deceptively simple approach to bypassing end-to-end encryption.

It doesn’t try to intercept messages in transit. It doesn’t exploit cryptographic vulnerabilities. It simply watches the screen.

Android’s Accessibility Service was designed to help users with disabilities interact with their devices. It allows apps to observe and interact with screen content, read text aloud, and automate actions. Sturnus abuses this service to:

• Read message content directly from the screen after the legitimate app has decrypted it
• Capture full conversations from WhatsApp, Telegram, and Signal in real-time
• Exfiltrate contact information and message metadata
• Harvest banking credentials by watching login screens

The malware distributes itself through social engineering – phishing emails, malicious SMS messages, and fake app downloads. Once installed and granted accessibility permissions (often by users who don’t understand what they’re approving), every “encrypted” conversation becomes visible to the attacker.

4. AI Tool Poisoning: The Invisible Exfiltration

This is perhaps the most concerning development for enterprise security teams.

In April 2025, security researchers at Invariant Labs demonstrated a vulnerability in how AI assistants integrate with messaging platforms. Using a technique called “MCP tool poisoning,” they showed that an attacker can manipulate an AI assistant connected to WhatsApp to:

• Extract the user’s entire message history
• Exfiltrate data to attacker-controlled phone numbers via what appears to be normal messaging
• Bypass traditional DLP systems entirely – because the traffic looks like legitimate AI behaviour

As enterprises increasingly integrate AI tools with communication platforms to boost productivity, they’re inadvertently creating new attack surfaces that most security architectures aren’t designed to detect.

The Enterprise DLP Blindspot

Here’s the uncomfortable truth for security teams: messaging apps exist entirely outside your security perimeter.

Your DLP policies don’t apply. Your monitoring tools have no visibility. Your acceptable use policies have no enforcement mechanism. And the very encryption that’s supposed to protect communications also prevents you from inspecting them for sensitive data.

Meanwhile, a recent study found that approximately 25% of employees share confidential company information through messaging platforms, often without malicious intent. A sales team creates a WhatsApp group to share leads faster. A developer pastes code snippets to get help from a contact. An HR manager sends employee records to the wrong chat.

When that employee’s device is compromised – through any of the techniques above – the attacker gains access to months of conversation history. Customer data. Competitive intelligence. M&A discussions. Strategic plans. All exfiltrated without a single alert from your security stack.

And if that employee leaves for a competitor? They take the entire conversation history with them – on a device you don’t control, through a platform you can’t audit.

What Security Leaders Need to Do Now

The solution isn’t to ban messaging apps – that’s both impractical and ineffective. Employees will find workarounds, driving communication further underground. The solution is to extend your security perimeter to include the mobile device layer.

Immediate actions:

1. Audit linked devices: Require employees to regularly review the “Linked Devices” section in Signal, WhatsApp, and Telegram settings. Any unfamiliar device should be immediately removed.
2. Deploy mobile threat defence: MDM manages device configuration; it doesn’t detect threats. Purpose-built MTD solutions identify malicious apps, suspicious network behaviour, and device compromise indicators in real-time.
3. Establish data classification policies for mobile channels: Define what categories of information can and cannot be shared via messaging apps. Enforce through training and, where possible, technical controls.
4. Treat QR codes as phishing vectors: Train employees to verify any QR code before scanning – especially those purporting to be group invites, security alerts, or device pairing instructions.
5. Monitor accessibility permissions: Any app requesting Accessibility Service access should be scrutinised. Most legitimate apps don’t need it – and granting it to malware gives attackers complete visibility into device activity.

The Bottom Line

End-to-end encryption is a genuine security advancement. But it’s not a security solution – and the industry’s marketing has created a dangerous misconception that “encrypted” means “secure.”

State-sponsored threat actors have already adapted. They don’t attack the encryption; they attack the endpoints. And they’re succeeding – against military targets, government officials, journalists, and increasingly, corporate executives.

Your employees use messaging apps for business communication. That’s not going to change. What can change is whether your security strategy accounts for the reality that those “secure” channels represent one of the largest unprotected attack surfaces in your organisation.

The question isn’t whether your organisation is exposed. The question is whether you’ll see the attack coming.

Corrata provides comprehensive protection for mobile devices, detecting threats that bypass traditional security controls. Our solution identifies malicious network behaviour, dangerous apps, and device compromise indicators in real-time – giving you visibility into the mobile attack surface that messaging encryption hides from view. Contact us to learn how we can help close the mobile DLP gap.