WhatsApp has patched a critical “zero-click” vulnerability that was actively being exploited to deliver mercenary spyware to a small number of high-profile targets, including journalists and members of civil society. The bug, which was discovered and mitigated in late 2024, did not require any interaction from the user, making it particularly dangerous.
The discovery was a result of an investigation by Meta’s security team in collaboration with the cybersecurity research group, Citizen Lab at the University of Toronto. The zero-click exploit took advantage of a vulnerability in WhatsApp’s code that allowed attackers to remotely install spyware without the victim ever clicking a malicious link or opening a file. In this case, the attackers used malicious PDF files sent through WhatsApp group chats to deliver a surveillance tool known as “Graphite,” developed by the Israeli firm Paragon Solutions.
Once delivered, the spyware could infiltrate a user’s device and compromise other apps, gaining access to sensitive data, including messages, pictures, and other personal information. WhatsApp was able to disrupt the attack and, in late January 2025, notified approximately 90 affected users in over two dozen countries. The fix was deployed server-side, meaning users did not need to update their app to be protected.
The incident is a stark reminder of the growing threat of sophisticated spyware and the need for greater accountability for the companies that create and sell these tools. WhatsApp has issued a cease-and-desist letter to Paragon and has stated it will continue to take legal action against spyware companies that violate user privacy.
The fix for Apple users was implemented in iOS 18 after Apple’s security teams were notified of a separate but related attack vector targeting iPhones. While the risk to the general public remains low due to the highly targeted nature of these attacks, cybersecurity experts continue to emphasize the importance of keeping all software, operating systems, and apps up-to-date to patch known vulnerabilities.
