New Zero-Click Exploit Allegedly Used to Hack WhatsApp Users
In a concerning turn of events, WhatsApp has sent out mass threat notifications to individuals who were allegedly targeted by an advanced spyware campaign in the past 90 days. According to reports from Amnesty Tech, a new zero-click exploit was used to hack WhatsApp users, leaving many wondering if their devices and data have been compromised.
The Attack: A Zero-Click Exploit with No User Interaction
The attack, reported by Donncha Ó Cearbhaill, Head of Security Lab at Amnesty Tech, requires no user interaction. This means that victims could be compromised without clicking a link or downloading a file. Such exploits are typically linked to well-resourced threat actors, including state-sponsored groups.
WhatsApp Warns Users and Urges Them to Take Action
WhatsApp has urged recipients of the notification to review their devices for unusual behavior, update to the latest version, and enable enhanced security measures to reduce the risk of further compromise. The company has also announced that it had already patched the flaw exploited by attackers, but risks remain.
The Exploit Targets a Vulnerability in WhatsApp
Amnesty researchers investigating the attack report that the exploit targets an authorization bypass issue, tracked as CVE-2025-55177, in WhatsApp on iOS and Mac. The exploit allowed attackers to force "content from arbitrary URL" to be rendered on a target's device.
A Zero-Click Vulnerability Recently Patched by Apple
A zero-click vulnerability recently patched by Apple (CVE-2025-43300) was also used in the WhatsApp attack. This vulnerability targets possible through other apps besides WhatsApp, highlighting the need for users to stay vigilant and keep their devices updated.
Who's Behind the Attack?
Commercial spyware vendors are behind most zero-day exploits discovered by researchers in the wild. Zero-day exploits are essential components of stealth spyware campaigns. Surveillance software is used to spy on high-risk users, including journalists, human rights defenders, dissidents, and opposition party politicians.
The Impact on WhatsApp Users
The WhatsApp zero-click attack affects both iPhone and Android users, including civil society. The company is urging recipients of the notification to take immediate action to protect themselves from potential compromise.
What Can You Do?
To best protect yourself, you are strongly advised to:
* Keep your devices updated to the latest version of the operating system * Ensure that your WhatsApp app is up to date * Enable iOS Lockdown Mode or Android's Advanced Protection Mode to help protect against attacks like this * Consider performing a full device factory reset as an extra layer of security
Conclusion
The recent zero-click exploit used to hack WhatsApp users serves as a reminder of the importance of staying vigilant and taking proactive steps to protect yourself from potential threats. By keeping your devices updated, enabling enhanced security measures, and being aware of the latest vulnerabilities, you can reduce the risk of further compromise and stay safe online.