On August 29, WhatsApp announced that it had patched a security vulnerability in its iOS and Mac apps that was being exploited to secretly access the devices of “specific targeted users.”
The Meta-owned messaging platform said in its advisory that the flaw, identified as CVE-2025-55177, has been fixed. Apple had addressed a related issue last week, tracked as CVE-2025-43300, which was exploited alongside the WhatsApp bug in what the company described as a “very sophisticated attack against specific targeted individuals.”
According to Amnesty International’s Security Lab chief Donncha Ó Cearbhaill, the campaign ran for about 90 days starting late May and involved an “advanced spyware operation.” One of the vulnerabilities enabled a “zero-click” exploit, allowing attackers to infect a device without requiring any action from the victim.
Ó Cearbhaill said the attack chain allowed hackers to use WhatsApp as a delivery vector to steal data from iPhones, including messages and other sensitive information. WhatsApp also sent warning notifications to affected users. The identities of the attackers or spyware vendors behind the campaign remain unknown.
Meta spokesperson Margarita Franklin told TechCrunch the flaw was patched “a few weeks ago” and confirmed that fewer than 200 WhatsApp users had been notified. She declined to comment on attribution.
This is not the first time WhatsApp has been exploited in government-linked spyware operations. In May, a U.S. court ordered Israeli spyware maker NSO Group to pay WhatsApp $167 million in damages over its 2019 Pegasus campaign, which infected more than 1,400 devices.
Earlier this year, WhatsApp also disrupted a spyware campaign targeting around 90 users, including Italian journalists and civil society representatives. The Italian government denied involvement, and spyware maker Paragon later cut off Italy’s access to its hacking tools.
© IE Online Media Services Pvt Ltd
0
0
Average Rating