{"id":186657,"date":"2025-08-30T06:53:17","date_gmt":"2025-08-30T06:53:17","guid":{"rendered":"https:\/\/www.europesays.com\/us\/186657\/"},"modified":"2025-08-30T06:53:17","modified_gmt":"2025-08-30T06:53:17","slug":"whatsapp-fixes-zero-click-bug-used-to-hack-apple-users-with-spyware","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/us\/186657\/","title":{"rendered":"WhatsApp fixes ‘zero-click’ bug used to hack Apple users with spyware"},"content":{"rendered":"

WhatsApp said on Friday that it fixed a security bug in its iOS and Mac apps that was being used to stealthily hack into the Apple devices of \u201cspecific targeted users.\u201d<\/p>\n

The Meta-owned messaging app giant said in its security advisory that it fixed the vulnerability, known officially as CVE-2025-55177<\/a>, which was used alongside a separate flaw found in iOS and Macs, which Apple fixed last week and tracks as CVE-2025-43300<\/a>.<\/p>\n

Apple said at the time that the flaw was used in an \u201cextremely sophisticated attack against specific targeted individuals.\u201d Now we know that dozens of WhatsApp users were targeted with this pair of flaws.<\/p>\n

Donncha \u00d3 Cearbhaill, who heads Amnesty International\u2019s Security Lab, described the attack in a post on X<\/a> as an \u201cadvanced spyware campaign\u201d that targeted users over the past 90 days, or since the end of May. \u00d3 Cearbhaill described the pair of bugs as a \u201czero-click\u201d attack, meaning it does not require any interaction from the victim, such as clicking a link, to compromise their device.<\/p>\n

The two bugs chained together allow an attacker to deliver a malicious exploit through WhatsApp that\u2019s capable of stealing data from the user\u2019s Apple device.\u00a0<\/p>\n

Per \u00d3 Cearbhaill, who posted a copy of the threat notification that WhatsApp sent to affected users, the attack was able to \u201ccompromise your device and the data it contains, including messages.\u201d<\/p>\n

It\u2019s not immediately clear who, or which spyware vendor, is behind the attacks.\u00a0<\/p>\n

When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw \u201ca few weeks ago\u201d and that the company sent \u201cless than 200\u201d notifications to affected WhatsApp users.\u00a0<\/p>\n

The spokesperson did not say, when asked, if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.<\/p>\n

This is not the first time that WhatsApp users have been targeted by government spyware<\/a>, a kind of malware capable of breaking into fully patched devices with vulnerabilities not known to the vendor, known as zero-day<\/a> flaws.<\/p>\n

In May, a U.S. court ordered spyware maker NSO Group to pay WhatsApp $167 million in damages<\/a> for a 2019 hacking campaign that broke into the devices of more than 1,400 WhatsApp users with an exploit capable of planting NSO\u2019s Pegasus spyware. WhatsApp brought the legal case<\/a> against NSO, citing a breach of federal and state hacking laws, as well as its own terms of service.<\/p>\n

Earlier this year, WhatsApp disrupted a spyware campaign<\/a> that targeted around 90 users, including journalists and members of civil society across Italy.\u00a0The Italian government denied its involvement in the spying campaign<\/a>. Paragon, whose spyware was used in the campaign, later cut off Italy from its hacking tools<\/a> for failing to investigate the abuse.<\/p>\n

Did you receive a notification that your device was compromised? Get in touch with this reporter securely via the username zackwhittaker.1337 on Signal.<\/p>\n","protected":false},"excerpt":{"rendered":"WhatsApp said on Friday that it fixed a security bug in its iOS and Mac apps that was…\n","protected":false},"author":3,"featured_media":186658,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[14461,734,104644,158,67,132,68,4730,104646,104645],"class_list":{"0":"post-186657","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-cyberattack","9":"tag-cybersecurity","10":"tag-spyware","11":"tag-technology","12":"tag-united-states","13":"tag-unitedstates","14":"tag-us","15":"tag-whatsapp","16":"tag-zero-click","17":"tag-zero-day"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@us\/115116402970813537","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts\/186657","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/comments?post=186657"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts\/186657\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/media\/186658"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/media?parent=186657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/categories?post=186657"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/tags?post=186657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}