WhatsApp mentioned on Friday that it fastened a safety bug in its iOS and Mac apps that was getting used to stealthily hack into the Apple gadgets of “particular focused customers.”
The Meta-owned messaging app large mentioned in its safety advisory that it fastened the vulnerability, identified officially as CVE-2025-55177, which was used alongside a separate flaw present in iOS and Macs, which Apple fastened final week and tracks as CVE-2025-43300.
Apple mentioned on the time that the flaw was utilized in an “extraordinarily subtle assault in opposition to particular focused people.” Now we all know that dozens of WhatsApp customers had been focused with this pair of flaws.
Donncha Ó Cearbhaill, who heads Amnesty Worldwide’s Safety Lab, described the assault in a post on X as an “superior spy ware marketing campaign” that focused customers over the previous 90 days, or because the finish of Might. Ó Cearbhaill described the pair of bugs as a “zero-click” assault, which means it doesn’t require any interplay from the sufferer, equivalent to clicking a hyperlink, to compromise their system.
The 2 bugs chained collectively enable an attacker to ship a malicious exploit by way of WhatsApp that’s able to stealing information from the consumer’s Apple system.
Per Ó Cearbhaill, who posted a duplicate of the risk notification that WhatsApp despatched to affected customers, the assault was capable of “compromise your system and the information it incorporates, together with messages.”
It’s not instantly clear who, or which spy ware vendor, is behind the assaults.
When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the corporate detected and patched the flaw “a couple of weeks in the past” and that the corporate despatched “lower than 200” notifications to affected WhatsApp customers.
The spokesperson didn’t say, when requested, if WhatsApp has proof to attribute the hacks to a particular attacker or surveillance vendor.
This isn’t the primary time that WhatsApp customers have been focused by authorities spy ware, a type of malware able to breaking into totally patched gadgets with vulnerabilities not identified to the seller, often called zero-day flaws.
In Might, a U.S. courtroom ordered spy ware maker NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking marketing campaign that broke into the gadgets of greater than 1,400 WhatsApp customers with an exploit able to planting NSO’s Pegasus spy ware. WhatsApp introduced the authorized case in opposition to NSO, citing a breach of federal and state hacking legal guidelines, in addition to its personal phrases of service.
Earlier this yr, WhatsApp disrupted a spy ware marketing campaign that focused round 90 customers, together with journalists and members of civil society throughout Italy. The Italian authorities denied its involvement within the spying marketing campaign. Paragon, whose spy ware was used within the marketing campaign, later reduce off Italy from its hacking instruments for failing to analyze the abuse.
Did you obtain a notification that your system was compromised? Get in contact with this reporter securely by way of the username zackwhittaker.1337 on Sign.