"Donncha Ó Cearbhaill, who heads Amnesty International's Security Lab, described the attack in a post on X as an "advanced spyware campaign" that targeted users over the past 90 days, or since the end of May. Ó Cearbhaill described the pair of bugs as a "zero-click" attack, meaning it does not require any interaction from the victim, such as clicking a link, to compromise their device."
"The two bugs chained together allow an attacker to deliver a malicious exploit through WhatsApp that's capable of stealing data from the user's Apple device. Per Ó Cearbhaill, who posted a copy of the threat notification that WhatsApp sent to affected users, the attack was able to "compromise your device and the data it contains, including messages." It's not immediately clear who, or which spyware vendor, is behind the attacks."
"When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw "a few weeks ago" and that the company sent "less than 200" notifications to affected WhatsApp users. The spokesperson did not say, when asked, if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor."
WhatsApp patched a security vulnerability in its iOS and Mac apps tracked as CVE-2025-55177 that was used alongside an Apple flaw, CVE-2025-43300. Apple characterized the related flaw as part of an extremely sophisticated attack against specific targeted individuals. Amnesty International's Security Lab described the campaign as advanced spyware active for about 90 days and said the paired bugs enabled a zero-click exploit that required no user interaction. The chained flaws could deliver a malicious payload through WhatsApp capable of stealing device data, including messages. WhatsApp notified fewer than 200 affected users; attribution remains unclear.
Read at TechCrunch
Unable to calculate read time
Collection
[
|
...
]