# Zero-Click Apple and WhatsApp Bug Combo Used to Drop Gov Spyware
In a disturbing revelation, Meta's encrypted communications app WhatsApp has revealed that a zero-click vulnerability in its platform was exploited by an unnamed government agency to deploy spyware on targeted individuals. The bug, tracked as CVE-2025-55177, was used in combination with a flaw in Apple's image input/output handling framework (CVE-2025-43300) to carry out the attack.
The discovery has left many wondering how such a sophisticated operation could be carried out without user interaction, making it almost impossible for victims to detect. WhatsApp has since confirmed that the Apple bug was used in its iOS app prior to version 2.25.21.73, as well as in the business and macOS versions (earlier than version 2.25.21.78). This allowed an attacker to trigger processing of content from an arbitrary URL on a target's device.
The root cause of the WhatsApp bug was due to incomplete authorization of linked device synchronization messages, leaving users vulnerable to attacks like this one.
While the exact individuals targeted by the flaws remain undisclosed, Amnesty International's Security Labs head Donncha Ó Cearbhaill has stated that his organization is investigating cases involving a number of individuals being targeted in the campaign. In such instances, it is essential to keep devices updated and enable Apple's iOS Lockdown Mode or the Android Advanced Protection Mode to protect against attacks like this.
Interestingly, this incident follows a recent development where the US House of Representatives banned the use of WhatsApp on staff devices due to concerns over data protection and potential security risks. The ban was issued after Meta deemed the app a high risk to users, citing issues with stored data encryption and lack of transparency in how it protects user data.
Furthermore, Israeli spyware vendor NSO Group has faced consequences for its involvement in hacking WhatsApp to target more than 1400 users' devices with the Pegasus malware. In May this year, the company was ordered to pay $167 million in damages to WhatsApp following a case brought against the spyware vendor in 2019.
As the world grapples with the increasing threat of government spyware, it is essential for individuals and organizations alike to remain vigilant and take proactive measures to protect themselves from such attacks.