Zero-click Apple and WhatsApp bug combo used to drop gov spyware

Details have emerged from Meta's encrypted communications app WhatsApp on recent vulnerabilities that appear to have been used to deploy spyware from an unnamed government, without user interaction.

WhatsApp posted a security advisory for the vulnerability, tracked as CVE-2025-55177, saying it was used in combination with a flaw in Apple's image input/output handling framework in the company's iOS mobile operation system to target specific users.

On its part, Apple issued a patch in iOS and iPadOS 18.6.2 for CVE-2025-43300, which fixed memory corruption that could occur when processing malicious images, on August 20 United States time.

In its advisory, Apple said it was aware of a report that the issue may have been exploited in an extremely sophisticated attack against specific targeted individuals."

WhatsApp has now confirmed that the Apple bug was used in its iOS app prior to version 2.25.21.73, and in the business and macOS versions of the same (earlier than version 2.25.21.78) to allow an attacker "to trigger processing of content from an arbitrary URL on target's device."

The WhatsApp flaw was due to incomplete authorisation of linked device synchronisation messages.

Who exactly was targeted by the flaws has not been disclosed as of yet.

Amnesty International's Security Labs head Donncha Ó Cearbhaill said the organisation is investigating cases involving a number of individuals being targeted in the campaign.

Ó Cearbhaill said "government spyware continues to pose a threat to journalists and human right defenders," and added that the WhatsApp attack impacted both Apple iPhone and Google Android device users. 

Keeping devices updated and enabling Apple's iOS Lockdown Mode, or the Android Advanced Protection Mode, protects against attacks like the above, Ó Cearbhaill added.

In June this year, the United States House of Representatives banned the use of WhatsApp on staff devices.

The notice accompanying the ban said the "[US] Office of Cybersecurity has deemed WhatsApp a high risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use."

Prior to the US Congress ban, Israeli spyware vendor NSO Group was found liable for hacking WhatsApp to target more than 1400 users' devices with the Pegasus malware, in December 2024.

NSO Group was ordered to pay US$167 milllion in damages to WhatsApp in May this year for the hacking, in the case which was brought against the spyware vendor in 2019.