On Friday, WhatsApp, the popular messaging app owned by Meta, announced that it has successfully addressed a significant security bug in its iOS and Mac applications. This vulnerability was exploited to stealthily infiltrate the Apple devices of “specific targeted users.” In its recent security advisory, WhatsApp revealed that the issue, identified as CVE-2025-55177, was being leveraged in conjunction with another flaw found in Apple's operating systems, tracked as CVE-2025-43300, which Apple patched the previous week.
Apple had previously described the flaw as part of an “extremely sophisticated attack against specific targeted individuals.” Recent reports indicate that dozens of WhatsApp users fell victim to this dual vulnerability. Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, referred to the attack as an “advanced spyware campaign,” noting that it targeted users over the past 90 days, specifically since the end of May.
Ó Cearbhaill characterized the vulnerabilities as a zero-click attack, meaning that the victim's interaction, such as clicking a link, is not necessary for the compromise to occur. By chaining these two flaws together, attackers were able to deploy a malicious exploit via WhatsApp, capable of extracting sensitive data from the affected user’s Apple device. According to Ó Cearbhaill, the attack could “compromise your device and the data it contains, including messages.”
At this time, it remains unclear who is behind these attacks or which spyware vendor may be involved. When approached for comment by TechCrunch, Meta spokesperson Margarita Franklin confirmed that the company detected and patched the flaw “a few weeks ago.” She also mentioned that less than 200 notifications were sent to affected WhatsApp users. However, Franklin did not provide information about whether WhatsApp has evidence linking the hacks to a specific attacker or surveillance vendor.
This incident is not the first occasion where WhatsApp users have been targeted by government-backed spyware. Such malware is designed to exploit fully patched devices using previously unknown vulnerabilities, known as zero-day flaws. In May, a U.S. court mandated the spyware manufacturer NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that compromised over 1,400 WhatsApp users through an exploit capable of deploying NSO’s notorious Pegasus spyware.
WhatsApp's legal action against NSO was based on violations of federal and state hacking laws, as well as breaches of its own terms of service. Earlier this year, WhatsApp also thwarted a spyware campaign that targeted approximately 90 users, including journalists and civil society members in Italy. Although the Italian government denied any involvement in this spying operation, the spyware vendor Paragon subsequently severed ties with Italy over the lack of investigation into the misuse of its tools.
If you received a notification indicating that your device was compromised, please reach out to this reporter securely via Signal at the username zackwhittaker.1337.
