WhatsApp Fixes Zero-Click Spyware Flaw Exploited in Targeted Attacks on iOS and Mac

WhatsApp has announced that it has patched a serious security vulnerability (CVE-2025-55177) in its iOS and Mac apps that was actively exploited in highly targeted spyware attacks. The flaw, when combined with a related Apple iOS bug (CVE-2025-43300), enabled hackers to infiltrate iPhones and Macs without requiring victims to click anything – a “zero-click” exploit.

According to Amnesty International’s Security Lab, the campaign began in late May and continued for around 90 days. Hackers leveraged WhatsApp as a delivery vector, allowing spyware to secretly infect devices, steal messages, and extract other sensitive data from iPhones. The attackers used a sophisticated chain of exploits to bypass Apple’s defenses and gain complete access to targeted accounts.

Who Was Affected?

Meta confirmed that fewer than 200 WhatsApp users worldwide were affected, most of them individuals considered “high-value targets.” WhatsApp has already sent warning notifications to impacted users. While the identities of the attackers remain unknown, the operation resembles previous government-linked spyware campaigns.

This is not the first time WhatsApp security flaws have been weaponized. In May 2025, a U.S. court ordered Israeli spyware maker NSO Group to pay WhatsApp $167 million in damages over its infamous Pegasus spyware attack that infected over 1,400 users in 2019. Earlier this year, WhatsApp also disrupted another spyware campaign targeting Italian journalists and civil society groups.

WhatsApp and Apple’s Response

A Meta spokesperson confirmed the vulnerability had been patched “a few weeks ago.” Apple also released a security update for iOS and macOS to fix the associated bug. Both companies strongly recommend users update WhatsApp, iOS, and macOS to the latest versions, enable two-factor authentication, and remain vigilant against phishing scams and spyware threats.

The rise of zero-click spyware attacks highlights growing risks for journalists, activists, and political figures. These sophisticated exploits show how messaging apps like WhatsApp and even secure platforms like Apple’s iOS can be abused in state-sponsored surveillance campaigns. Cybersecurity experts warn that such attacks are becoming harder to detect and may become a recurring threat in 2025.