WhatsApp Zero-Click Attack Targets Journalists and Activists
WhatsApp, owned by Meta, has been targeted by a sophisticated zero-click attack, affecting both iPhone and Android users. This includes journalists, human rights defenders, and opposition politicians. The attack, discovered by AmnestyTech, exploits vulnerabilities in WhatsApp's end-to-end encryption and Apple's core image library.
The attack, which requires no user interaction, was made possible by an authorization bypass issue (CVE-2025-55177) in WhatsApp on iOS and Mac, and a zero-click vulnerability (CVE-2025-43300) in Apple's core image library. Meta, the parent company of WhatsApp, has announced it is sponsoring the Pwn2Own Ireland 2025 hacking competition, offering up to $1 million for a WhatsApp exploit allowing remote code execution with no user interaction.
Commercial spyware vendors are often behind such zero-day exploits. The surveillance industry is experiencing exponential growth due to demand from rogue governments and malicious actors for advanced malware and surveillance tools. WhatsApp has warned users targeted by advanced spyware, sending threat notifications to affected individuals from the past 90 days. The company urges recipients to review their devices for unusual behavior, update to the latest version, and enable enhanced security measures.
WhatsApp users, particularly high-risk users such as journalists and activists, should be vigilant. While there is no specific attribution for the recent attack, it serves as a reminder of the ongoing threat posed by sophisticated spyware. Users are advised to stay updated with the latest software versions and enable all available security measures.
