WhatsApp said Friday it fixed a security bug in iOS and Mac apps that were used to stealth hack “specific target users” to Apple devices.
Meta-owned messaging app Giant said it has fixed a vulnerability officially known as CVE-2025-55177 in its security advisory.
Apple said at the time that the flaw was being used in “a very sophisticated attack on a particular targeted individual.” Now we know that dozens of WhatsApp users have been targeted with this flawed pair.
Donchanó Cearbhaill, who leads Amnesty International's security lab, described the attack on X's post as an “advanced spyware campaign” targeting users for the past 90 days or the end of May. Cearbhaill described the pair of bugs as a “zero click” attack. This means you compromise on your device because it doesn't require any interaction from the victim, such as clicking on a link.
Two chained bugs allow attackers to provide malicious exploits via WhatsApp, which allows them to steal data from their users' Apple devices.
For each CEARBHAILL that posted a copy of the threat notification that WhatsApp sent to an affected user, the attack was able to “compromise data that contains devices and messages.”
It is not immediately clear who or which spyware vendor is behind the attack.
When TechCrunch arrived, Meta spokesman Margarita Franklin confirmed that the company had been detected “a few weeks ago” and patched it, and the company sent a “less than 200” notification to WhatsApp users.
The spokesman did not say that when asked if whatsApp had evidence attributing the hack to a particular attacker or surveillance vendor, he was not asked.
This is not the first time WhatsApp users have targeted government spyware. This is a type of malware that can infiltrate fully patched devices with vulnerabilities unknown to vendors known as zero-day flaws.
In May, a US court ordered the Spyware Maker NSO group to pay $167 million in damages for a 2019 hacking campaign, split between devices of more than 1,400 WhatsApp users in an exploit that allows them to plant the NSO Pegasus Spyware. WhatsApp has led to legal cases against the NSO, citing violations of federal and state hacking laws and their own terms of service.
Earlier this year, WhatsApp disrupts the SPYware campaign, targeting around 90 users, including Italian journalists and civil society members. The Italian government has refused to be involved in the spy campaign. Paragon, which used spyware in the campaign, later blocked Italy from hacking tools to fail to investigate abuse.
Have you received a notification that your device has been compromised? Please contact this reporter safely via username zackwhittaker.1337 on the signal.