WhatsApp has recently patched a critical security vulnerability in its iOS and Mac applications that was actively exploited to deploy advanced spyware on Apple devices. This zero-click attack, requiring no user interaction, represents one of the most sophisticated mobile surveillance campaigns discovered this year.
Understanding Zero-Click Vulnerabilities
A zero-click vulnerability allows attackers to compromise a device without any action from the user, such as clicking a link or opening an attachment. These attacks exploit weaknesses in applications to bypass standard security protections, often going unnoticed by both the victim and conventional security software.
Details of the WhatsApp Vulnerability
The security flaw, officially designated as CVE-2025-55177, stemmed from insufficient authorization controls in WhatsApp’s linked device synchronization messaging system. This vulnerability allowed malicious actors to trigger the processing of content from arbitrary URLs on targeted devices without requiring any user interaction. The attack specifically targeted:
– WhatsApp for iOS versions prior to 2.25.21.73
– WhatsApp Business for iOS version 2.25.21.78
– WhatsApp for Mac version 2.25.21.78
Chained Attack Strategy
Security researchers revealed that attackers combined the WhatsApp vulnerability with a separate Apple security flaw (CVE-2025-43300) to create a devastating attack chain. The Apple vulnerability, an out-of-bounds write issue in the ImageIO framework, was patched by Apple last week after the company acknowledged it had been exploited in “extremely sophisticated attacks against specific targeted individuals.”
The two-stage attack worked as follows:
1. Initial Compromise: The WhatsApp flaw tricked victim devices into fetching and processing malicious content from attacker-controlled URLs.
2. Code Execution: The Apple ImageIO vulnerability then enabled attackers to achieve remote code execution through malicious image processing.
Scope of the Attack
According to Donncha Ó Cearbhaill, who leads Amnesty International’s Security Lab, the attack was part of an “advanced spyware campaign” that has been active for roughly 90 days, starting in late May. WhatsApp explained in its security update blog that the flaw in its app was combined with an OS-level vulnerability in Apple devices. Apple fixed the issue on August 20 with the release of iOS 18.6.2 and iPadOS 18.6.2. In its support page, the company noted:
“Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
While Apple did not disclose which users were affected, WhatsApp spokesperson Margarita Franklin told TechCrunch that fewer than 200 individuals were notified about the attack.
User Protection Measures
WhatsApp has advised affected users to take several protective steps:
– Perform a complete factory reset of their devices.
– Ensure their operating systems are updated to the latest versions.
– Update WhatsApp to the most recent version.
– Remain vigilant for unusual device behavior.
The company’s internal security team discovered the vulnerability and implemented fixes across all affected platforms. Users should verify they’re running the latest versions of WhatsApp and ensure automatic updates are enabled.
Broader Security Implications
This attack highlights the continuing evolution of commercial spyware capabilities and their targeting of civil society, journalists, and human rights defenders. The successful chaining of vulnerabilities across different platforms demonstrates the sophisticated resources available to state-sponsored and commercial surveillance operators.
Security researchers emphasize that zero-click attacks represent one of the most serious threats in mobile security, as they can compromise devices without any warning signs or required user actions. The incident underscores the importance of rapid security updates and the ongoing cat-and-mouse game between technology companies and surveillance vendors.
Users who believe they may have been targeted by the spyware campaign are encouraged to contact security researchers through established secure channels to help investigate the scope and attribution of the attacks.
