WhatsApp Fixes ‘Zero-Click’ Spyware Bug on Apple Devices

WhatsApp has fixed a major security flaw that was being used to silently hack iPhones and Macs. The Meta-owned app confirmed that attackers exploited a zero-click vulnerability, which requires no action from the victim, to install spyware and steal data. The flaw, tracked as CVE-2025-55177, was used in combination with a separate Apple bug (CVE-2025-43300) that the iPhone maker patched last week.

Apple described its vulnerability as part of an “extremely sophisticated attack” against specific targeted users. Together, the two bugs gave hackers a way to send a malicious message through WhatsApp that could compromise the device and access sensitive data, including messages, photos, and files.

A Sophisticated Zero-Click Attack

Amnesty International’s Security Lab, which has been investigating the campaign, said the spyware campaign has been active since late May. Donncha Ó Cearbhaill, who leads the lab, described it as a zero-click exploit, meaning victims did not have to click links or open files for their devices to be compromised. Amnesty confirmed that WhatsApp threat notifications were sent to affected individuals over the past 90 days.

🚨 BREAKING: New zero-click exploit used to hack WhatsApp users.

WhatsApp has just sent out a round of threat notifications to individuals they believe where targeted by an advanced spyware campaign in past 90 days.

Seek out expert help if you have received this alert pic.twitter.com/i4cHLsiNOr

— Donncha Ó Cearbhaill (@DonnchaC) August 29, 2025

Meta spokesperson Margarita Franklin said WhatsApp detected and patched the flaw weeks ago. The company has since notified fewer than 200 users, although it is unclear who was behind the campaign or which spyware vendor was involved.

Meta’s Advice to WhatsApp Users

In its advisory, WhatsApp warned that a malicious message may have been sent to targeted users and recommended that they not only update to the latest app and OS versions but also consider performing a full device factory reset. While both Apple and WhatsApp have rolled out fixes, Meta cautioned that devices compromised earlier may still be at risk.

Another Chapter In WhatsApp’s Spyware Battle

This isn’t the first time WhatsApp has been used as a vector for spyware delivery. In May, Israeli spyware firm NSO Group was ordered by a U.S. court to pay $167 million in damages for its 2019 Pegasus campaign, which hacked more than 1,400 WhatsApp users. Earlier this year, WhatsApp also disrupted a Paragon spyware campaign that targeted around 90 users in Italy, including journalists and civil society members.

For everyday users, the risks remain low since the attack was highly targeted. Still, the incident highlights the importance of keeping devices and apps up to date. With details of the flaws now public, outdated software is more likely to be exploited in opportunistic attacks. If you haven’t already, update WhatsApp and your Apple devices to the latest versions to stay protected.