If you use WhatsApp on an iPhone[1], make sure you update the app immediately.
A glitch in the Meta-owned chat app has left iPhone users vulnerable to a ‘sophisticated’ cyber attack that could steal your personal data.
Some WhatsApp users have been getting an alert telling them they might be a victim of the ‘zero-click’ hack, which has been ongoing for three months.
But it is unclear how many people are affected and who the perpetrators of the attack are.
WhatsApp has fixed the flaw that left users vulnerable to the attack – but people have to update their devices for it to take effect.
Donncha Ó Cearbhaill, who leads the Security Lab at Amnesty International, detailed the ‘advanced spyware campaign’ in a X (Twitter) thread[2].
‘WhatsApp has just sent out a round of threat notifications to individuals they believe where targeted by an advanced spyware campaign in past 90 days,’ he said.
‘Make sure to update your devices.’
Meta releases urgent update for all iPhone users after ‘extremely sophisticated attack’ is found
Donncha Ó Cearbhaill, who leads the Security Lab at Amnesty International, told WhatsApp users to update their devices if they’ve received a notification
The flaw, dubbed CVE-2025-55177, was found by internal researchers on the WhatsApp security team and detailed in a short blog post[3].
‘We assess that this vulnerability… may have been exploited in a sophisticated attack against specific targeted users,’ WhatsApp says.
‘[It] could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.’
According to WhatsApp, the vulnerability is targeting iOS and macOS, but Mr Ó Cearbhaill thinks it is ‘impacting both iPhone and Android users’.
Among them are ‘civil society individuals’, which could include non-governmental organizations, charity workers and journalists.
The security expert commended WhatsApp for catching the flaw and notifying people who may be affected through an in-app alert.
The alert says: ‘Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.
‘While we don’t know with certainly that your device has been comprised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.’
WhatsApp has sent out threat notifications to individuals they believe where targeted by an advanced spyware campaign in past 90 days
Expert Donncha Ó Cearbhaill said WhatsApp users should ‘seek out expert help’ if they have received this alert from the Meta platform. WhatsApp also recommends a ‘full device factory reset’, which returns a phone to its default settings, although it may wipe user data such as photos and files if they’re not stored on the cloud
The vulnerability is classified as ‘zero-click’, which, as the name suggests, is where hackers can harm devices without any action from the user.
Typically, a zero-click exploit lets cybercriminals execute arbitrary code on victims’ devices, delivering spyware to monitor and collect user data quietly.
Adam Boynton, a security expert at software firm Jamf, said criminals make ‘significant investment’ in uncovering zero-click vulnerabilities like this one.
‘A zero-click exploit is a security flaw that can be triggered without the victim doing anything at all, such as clicking a link or opening a malicious file, making it far more dangerous than common scams,’ he told the Daily Mail.
‘These attacks are usually developed by highly resourced groups and aimed at high-value individuals such as politicians, journalists, lawyers, and activists.
‘Because they leave very few traces, they are difficult to detect and highly prized by attackers.’
According to Mr Boynton, exploits of this kind are often a ‘launchpad’ for extracting sensitive data, harvesting credentials, eavesdropping on conversations, or even staging a ransomware attack further down the line.
‘Attackers could send malicious data to a WhatsApp user’s Apple device and take advantage of a flaw without any clicks required,’ he said.
Zero-click attacks are where hackers can harm people’s devices without any action from the user, such as clicking dodgy links (file photo)
‘Once inside, attackers could spy on conversations, steal information or credentials, and potentially use the device as a launchpad for wider attacks.’
‘This is why patching apps and keeping operating systems up to date is so critical. Attackers know that if they can find a way in, the payoff is huge.’
Read More
WhatsApp has made a subtle change that has left users FURIOUS – as one vents it’s ‘hurting my eyes’
To best protect themselves, WhatsApp users are strongly urged to keep their devices updated to the latest version of their operating system, and ensure WhatsApp is up to date.
The Meta platform also recommends a ‘full device factory reset’, which returns a phone to its default settings, although this may wipe user data such as photos and files if not stored on the cloud.
WhatsApp will directly notify users if they have been targeted with this exploit in the form of a notification inside the WhatsApp app, not by email or text.
‘Most users will not see such a notification, but everyone should still update their app to stay secure,’ Mr Boynton told the Daily Mail.
References
- ^ iPhone (www.dailymail.co.uk)
- ^ X (Twitter) thread (x.com)
- ^ blog post (www.whatsapp.com)
- ^ ‘data hungry’ smartphone apps like Facebook and Instagram ask for ‘shocking’ levels of access to your personal data (www.dailymail.co.uk)