WhatsApp Fixes Zero-Day Flaw Used to Deploy Paragon Graphite Spyware

WhatsApp has taken significant steps to address a zero-click, zero-day vulnerability used to install Paragon's Graphite spyware on the devices of targeted individuals. The company confirmed that the issue was fixed in December 2024 without a client-side update, and no CVE-ID was assigned.

The hacking campaign, which targeted journalists and civil society members, was discovered by Meta and resulted in the disruption of a malware campaign via WhatsApp. According to reports from the Citizen Lab group at the University of Toronto, the threat actors used a "zero-click" exploit to compromise target devices without user interaction. WhatsApp did not disclose the locations of the targeted individuals.

WhatsApp sent Paragon a "cease and desist" letter and announced it was exploring the possibility to start a legal action. "WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users including journalists and members of civil society," said a company spokesperson. "We've reached out directly to people who we believe were affected. This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people's ability to communicate privately."

The attacks appear to have been carried out using a specially crafted PDF file as bait, which was sent to target users after they were added to group chats. Citizen Lab researchers mapped Paragon Solutions' spyware infrastructure and identified its tool "Graphite" through digital fingerprints and certificates.

"We shared our analysis of Paragon's infrastructure with Meta, who told us that the details were pivotal to their ongoing investigation into Paragon," said John Scott-Railton of the research group Citizen Lab. "WhatsApp discovered and mitigated an active Paragon zero-click exploit, and later notified over 90 individuals who it believed were targeted, including civil society members in Italy."

Citizen Lab also linked Paragon to several IP addresses hosted at local telecoms, suggesting they belong to government customers. A misconfigured digital certificate further confirmed the connection, strengthening the evidence of Paragon's global spyware operations.

"The infrastructure we found is linked to webpages entitled 'Paragon' returned by IP addresses in Israel (where Paragon is based), as well as a TLS certificate containing the organization name 'Graphite', which is the name of Paragon's spyware, and the common name 'installerserver' (Pegasus, a competitor spyware product, uses the term 'Installation Server' to refer to a server designed to infect a device with spyware)," reads the report published by Citizen Lab.

The report suggests that Australia, Canada, Cyprus, Denmark, Israel, and Singapore may be clients of Israeli spyware maker Paragon Solutions. As the world continues to grapple with the threat of spyware companies, WhatsApp's actions serve as a reminder of the importance of holding these organizations accountable for their actions.

Key Takeaways

  • WhatsApp fixed a zero-click, zero-day vulnerability used to install Paragon's Graphite spyware on targeted individuals.
  • The hacking campaign targeted journalists and civil society members.
  • WhatsApp alerted over 90 individuals who it believed were targeted, including civil society members in Italy.
  • Citizen Lab mapped Paragon Solutions' spyware infrastructure and identified its tool "Graphite" through digital fingerprints and certificates.
  • The attacks appear to have been carried out using a specially crafted PDF file as bait.