WhatsApp has patched a dangerous flaw in its iOS and Mac apps that allowed hackers to break into Apple devices without the victims clicking a thing. The zero-click exploit, linked to a broader Apple vulnerability fixed last week, was used in what security experts describe as a targeted spyware campaign.
How the WhatsApp bug was exploited
The flaw, officially tracked as CVE-2025-55177, worked in tandem with Apple’s CVE-2025-43300. Together, the two bugs gave attackers a way to deliver malicious code through WhatsApp, compromising both the device and the user’s private data.
According to Amnesty International’s Security Lab, the exploit was used in “an advanced spyware campaign” running since late May. Victims didn’t need to tap, open, or accept anything; the attack required no interaction at all.
Once triggered, the exploit could access data on the device, including WhatsApp messages.
Who was targeted in the spyware campaign
Meta, WhatsApp’s parent company, confirmed that it detected the flaw weeks ago and quietly patched it. Fewer than 200 people received notifications that their accounts had been targeted.
So far, WhatsApp has not identified which spyware vendor or government-backed actor was behind the campaign. Still, the nature of the attack suggests highly resourced operators.
WhatsApp’s long fight against spyware
This isn’t the first time WhatsApp has been a battleground for surveillance tools.
- In 2019, spyware maker NSO Group hacked more than 1,400 users with its Pegasus malware. A U.S. court later ordered NSO to pay WhatsApp $167 million in damages.
- Earlier in 2025, WhatsApp disrupted another spyware campaign targeting 90 users in Italy, where Paragon’s tools were linked to government use.
Each case highlights how zero-day exploits can compromise even fully updated devices.
What users should know now?
WhatsApp says the vulnerability is patched, and Apple addressed its side of the exploit last week. Still, users are encouraged to keep devices updated, enable automatic patches, and watch for official notifications from Apple or WhatsApp.
While fewer than 200 people were hit this time, the attack shows just how advanced spyware has become and why staying one step ahead matters more than ever.
{{user}} {{datetime}}
{{text}}