WhatsApp fixes ‘zero-click’ bug used to hack Apple users with spyware

In a recent security update, WhatsApp announced that it has resolved a significant vulnerability in its iOS and Mac applications. This flaw had been leveraged to covertly infiltrate the Apple devices of select users. Known as CVE-2025-55177, the issue was exploited in conjunction with another vulnerability in Apple's systems, labeled CVE-2025-43300, which Apple had patched the previous week. According to a statement from WhatsApp, this vulnerability was part of a highly sophisticated assault that had been targeting specific individuals. Amnesty International's Security Lab head, Donncha Ó Cearbhaill, characterized the operation as an advanced spyware campaign that had been ongoing for approximately 90 days, starting in late May. Ó Cearbhaill highlighted that the attack utilized a 'zero-click' method, meaning it could compromise a device without any action from the victim, such as clicking a link. By chaining the two vulnerabilities, attackers were able to deploy malicious exploits via WhatsApp, putting users' personal information at risk. In a notification sent to affected users, WhatsApp warned that the breach could allow attackers to access sensitive data, including messages stored on the device. While the specific identity of the attackers remains unclear, a Meta spokesperson confirmed that the company identified and rectified the flaw several weeks ago. They also noted that they had sent out fewer than 200 notifications to users who were impacted. However, when asked if there was evidence linking the attacks to a particular entity or spyware vendor, the spokesperson did not provide additional information. This incident marks yet another instance in which WhatsApp users have found themselves in the crosshairs of government-sponsored spyware. Earlier this year, a U.S. court mandated that the NSO Group, a notorious spyware maker, pay WhatsApp $167 million in damages for a 2019 hacking spree that compromised over 1,400 users. WhatsApp has consistently taken legal action against such breaches, citing violations of federal and state laws as well as its own service agreements. Additionally, WhatsApp recently intervened in another spyware campaign that targeted nearly 90 users, including journalists and civil society members in Italy, despite the Italian government denying any involvement. Following the incident, Paragon, the spyware vendor implicated, ceased operations in Italy due to the lack of investigation into the misuse of its tools.