WhatsApp has confirmed a sophisticated hacking campaign targeting fewer than 200 users, exploiting a zero-click flaw on Apple devices.
Quick Summary – TLDR:
- WhatsApp and Apple patched serious security bugs exploited in an advanced spyware campaign
- Attackers used zero-click vulnerabilities requiring no user interaction to compromise devices
- Fewer than 200 users worldwide were targeted, including members of civic organizations
- Amnesty International and Meta confirmed the attacks may have hit both iOS and Android users
What Happened?
WhatsApp has disclosed a major security breach involving a zero-click exploit that allowed hackers to remotely compromise user devices without any action from the victim. The flaw combined a vulnerability in WhatsApp itself with a separate bug in Apple’s operating system. Though both issues have now been patched, cybersecurity experts say the exploit was likely part of a commercial spyware campaign.
🚨 BREAKING: New zero-click exploit used to hack WhatsApp users.
— Donncha Ó Cearbhaill (@DonnchaC) August 29, 2025
WhatsApp has just sent out a round of threat notifications to individuals they believe where targeted by an advanced spyware campaign in past 90 days.
Seek out expert help if you have received this alert pic.twitter.com/i4cHLsiNOr
WhatsApp and Apple Under Fire from Sophisticated Spyware Campaign
The vulnerability in WhatsApp, tracked as CVE-2025-55177, was caused by incomplete authorization of linked device synchronization messages. This flaw allowed hackers to trick a user’s device into processing content from any URL. When combined with a separate OS-level bug in Apple devices, tracked as CVE-2025-43300, the exploit became even more dangerous.
Apple described its flaw as an “out-of-bounds write issue”, where processing a malicious image file could result in memory corruption. The issue was addressed in Apple’s iOS 18.6.2 and iPadOS 18.6.2 updates released on August 20, 2025.
WhatsApp credited its internal security team for discovering the issue and emphasized that fewer than 200 individuals were affected. Meta, WhatsApp’s parent company, said it has notified affected users but cannot confirm with certainty whether their devices were successfully compromised.
Attackers Did Not Need Clicks to Hijack Devices
What makes this attack especially alarming is its use of a zero-click mechanism. These types of exploits are among the most dangerous in cybersecurity because:
- They require no interaction from the victim
- Malware is triggered automatically once the app processes malicious content
- Users remain unaware their device has been compromised
Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, said this spyware campaign likely ran for about 90 days starting in late May. His team is now gathering forensic evidence from potential victims. He warned that other apps, not just WhatsApp, might also have been affected.
Links to Commercial Spyware Industry
Although neither Apple nor WhatsApp confirmed the origin of the attack, the details strongly suggest involvement from commercial spyware developers. Similar attacks in the past have been linked to firms like NSO Group, makers of Pegasus, and QuaDream, another Israel-based spyware company.
In fact, NSO Group was ordered to pay $167 million in damages earlier this year after a court found that its spyware had been used to target over a thousand WhatsApp users in 2019, including journalists, activists and diplomats.
Who Is Affected and What Should You Do?
The attack impacted:
- WhatsApp for iOS prior to v2.25.21.73
- WhatsApp Business for iOS prior to v2.25.21.78
- WhatsApp for Mac prior to v2.25.21.78
Even if you have not received a notification from Meta, it is strongly advised to update your devices:
- Install the latest OS updates on iPhone and iPad (iOS/iPadOS 18.6.2)
- Update WhatsApp to the latest version through the App Store
- Perform a full factory reset if you were notified of potential targeting
SQ Magazine Takeaway
This is exactly why I always push for regular updates on both apps and devices. Zero-click attacks like this are terrifyingly stealthy. You do not click anything, you do not open anything, and yet your entire phone could be compromised. I really appreciate WhatsApp’s transparency in revealing the flaw and Apple’s swift action to patch the issue. But this also shows how far spyware developers will go, and why digital security needs constant vigilance. If your device is even slightly outdated, it could be vulnerable right now.
