Whatsapp Fixes ‘zero-click’ Bug Used To Hack Apple Users With Spyware

WhatsApp said connected Friday that it fixed a information bug successful its iOS and Mac apps that was being utilized to stealthily hack into nan Apple devices of “specific targeted users.”

The Meta-owned messaging app elephantine said successful its information advisory that it fixed nan vulnerability, known officially arsenic CVE-2025-55177, which was utilized alongside a abstracted flaw recovered successful iOS and Macs, which Apple fixed past week and tracks arsenic CVE-2025-43300.

Apple said astatine nan clip that nan flaw was utilized successful an “extremely blase onslaught against circumstantial targeted individuals.” Now we cognize that dozens of WhatsApp users were targeted pinch this brace of flaws.

Donncha Ó Cearbhaill, who heads Amnesty International’s Security Lab, described nan onslaught in a station connected X arsenic an “advanced spyware campaign” that targeted users complete nan past 90 days, aliases since nan extremity of May. Ó Cearbhaill described nan brace of bugs arsenic a “zero-click” attack, meaning it does not require immoderate relationship from nan victim, specified arsenic clicking a link, to discuss their device.

The 2 bugs chained together let an attacker to present a malicious utilization done WhatsApp that’s tin of stealing information from nan user’s Apple device. 

Per Ó Cearbhaill, who posted a transcript of nan threat notification that WhatsApp sent to affected users, nan onslaught was capable to “compromise your instrumentality and nan information it contains, including messages.”

It’s not instantly clear who, aliases which spyware vendor, is down nan attacks. 

When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed nan institution detected and patched nan flaw “a fewer weeks ago” and that nan institution sent “less than 200” notifications to affected WhatsApp users. 

The spokesperson did not say, erstwhile asked, if WhatsApp has grounds to property nan hacks to a circumstantial attacker aliases surveillance vendor.

This is not nan first clip that WhatsApp users person been targeted by government spyware, a benignant of malware tin of breaking into afloat patched devices pinch vulnerabilities not known to nan vendor, known arsenic zero-day flaws.

In May, a U.S. tribunal ordered spyware shaper NSO Group to salary WhatsApp $167 cardinal successful damages for a 2019 hacking run that collapsed into nan devices of much than 1,400 WhatsApp users pinch an utilization tin of planting NSO’s Pegasus spyware. WhatsApp brought nan ineligible case against NSO, citing a breach of national and authorities hacking laws, arsenic good arsenic its ain position of service.

Earlier this year, WhatsApp disrupted a spyware campaign that targeted astir 90 users, including journalists and members of civilian nine crossed Italy. The Italian authorities denied its engagement successful nan spying campaign. Paragon, whose spyware was utilized successful nan campaign, later cut disconnected Italy from its hacking tools for failing to analyse nan abuse.