WhatsApp Fixes Zero-Click Spyware Bug Targeting Apple Users

WhatsApp Addresses Security Vulnerabilities in iOS and Mac Apps

On Friday, WhatsApp announced the resolution of a security flaw present in its applications for both iOS and Mac operating systems.

This vulnerability was reportedly exploited to gain unauthorized access to Apple devices belonging to a select group of individuals who were specifically targeted.

Details of the Security Flaws

According to WhatsApp’s security advisory, the vulnerability, officially designated as CVE-2025-55177, was utilized in conjunction with a separate flaw identified in iOS and Mac systems.

Apple previously addressed this related flaw, tracked as CVE-2025-43300, in a recent update released last week.

Targeted Attacks and Zero-Click Exploitation

Apple initially indicated that the identified flaw was leveraged in a highly sophisticated attack aimed at a limited number of specific individuals.

Further investigation has revealed that dozens of WhatsApp users were targeted through the combined exploitation of these two vulnerabilities.

Donncha Ó Cearbhaill, leading the Security Lab at Amnesty International, characterized the attack as an “advanced spyware campaign” that has been active over the past 90 days, beginning at the end of May.

Ó Cearbhaill described the pair of bugs as enabling a “zero-click” attack, meaning no user interaction, such as clicking a malicious link, is required to compromise a device.

Impact of the Exploitation

The coordinated exploitation of these two vulnerabilities allowed attackers to deliver a malicious exploit via WhatsApp.

This exploit was capable of extracting data from the affected user’s Apple device.

As detailed in a threat notification shared by WhatsApp with impacted users, and posted by Ó Cearbhaill, the attack could potentially “compromise your device and the data it contains, including messages.”

Investigation and Response

The identity of the attacker, or the specific spyware vendor involved, remains currently unclear.

Meta spokesperson Margarita Franklin confirmed to TechCrunch that the company detected and patched the flaw “a few weeks ago.”

Notifications were sent to fewer than 200 affected WhatsApp users.

The spokesperson refrained from commenting on whether WhatsApp possesses evidence linking the attacks to a particular attacker or surveillance vendor.

Past Incidents and Legal Action

This is not an isolated incident of WhatsApp users being targeted by government spyware.

Such malware is capable of breaching fully updated devices by exploiting previously unknown vulnerabilities, known as zero-day flaws.

In May, a U.S. court ordered NSO Group to pay WhatsApp $167 million in damages stemming from a 2019 hacking campaign.

This campaign compromised over 1,400 WhatsApp users through an exploit used to install NSO’s Pegasus spyware.

WhatsApp initiated legal proceedings against NSO Group, citing violations of federal and state hacking laws, as well as its own terms of service.

Recent Disruptions

Earlier this year, WhatsApp successfully disrupted a spyware campaign targeting approximately 90 users, including journalists and civil society members in Italy.

The Italian government denied any involvement in the spying operation.

Paragon, the spyware provider utilized in the campaign, subsequently suspended Italy’s access to its hacking tools due to a lack of investigation into the misuse.

Secure Contact Information

If you received a notification indicating your device was compromised, you can securely contact the reporter via Signal using the username zackwhittaker.1337.