WhatsApp has addressed a serious security flaw that affected its iPhone and Mac apps, after discovering an advanced spyware campaign that exploited the vulnerability using a zero-click method. This type of attack required no user interaction and was capable of compromising Apple devices without any warning. The spyware campaign targeted around 90 individuals, including journalists and civil society members in Italy, raising fresh concerns over digital surveillance.
Spyware
The attack was uncovered by Amnesty International’s Security Lab, with researcher Donncha Cearbhaill describing it as a highly sophisticated spyware campaign. It had been active for at least 90 days and used a stealthy zero-click exploit to access user data. These types of exploits allow attackers to deliver malware without the user needing to click or interact with any message or link.
Even more concerning was the fact that this attack targeted Apple devices, which are generally considered to be among the most secure in the consumer tech space. This incident shows that no system is completely safe, especially when up against well-funded spyware developers.
Targets
The attack reportedly impacted around 90 people, with a focus on high-risk individuals such as journalists and human rights defenders in Italy. The Italian government denied any involvement, but the spyware vendor Paragon chose to cut off Italy’s access to its surveillance tools due to the lack of proper investigation into misuse.
WhatsApp, owned by Meta, has stated that fewer than 200 users were notified after the patch was rolled out. Although no specific attacker or company has been officially blamed, the attack follows a familiar pattern often seen in state-sponsored surveillance efforts.
Legal Action
This development comes alongside a major legal win for WhatsApp. A US court has ordered NSO Group, the creators of Pegasus spyware, to pay $167 million in damages. This ruling is tied to the 2019 attack where Pegasus was used to hack over 1,400 WhatsApp users. WhatsApp had filed the lawsuit citing violations of federal hacking laws and its own terms of service.
This court order sends a strong message to spyware vendors, especially those who target apps used by billions of people. It also reinforces the idea that tech companies are now actively fighting back through legal channels, not just technical fixes.
Security Patch
The recent vulnerabilities, listed as CVE-2025-55177 and CVE-2025-43300, were used in what Apple described as an “extremely sophisticated attack against specific targeted individuals”. These bugs affected both iOS and macOS versions of WhatsApp, which have now been patched.
Meta confirmed the issue had been resolved weeks ago. Affected users received threat notifications, warning that the spyware could compromise their device and access private data, including messages. WhatsApp acted quickly to patch the flaws and secure the app against further misuse.
Lessons
This incident highlights the ongoing battle against spyware and zero-day attacks—bugs that developers are unaware of until they’re actively exploited. The importance of keeping apps updated cannot be overstated. Regular updates and enabling features like two-step verification are some of the best defences users have right now.
Here’s a quick look at the incident details:
| Key Detail | Information |
|---|---|
| Type of Attack | Zero-click spyware |
| Affected Platforms | WhatsApp for iOS and macOS |
| Vulnerabilities | CVE-2025-55177, CVE-2025-43300 |
| Number of Users Notified | Less than 200 |
| Target Group | Journalists, activists in Italy |
| Patch Status | Fixed by WhatsApp |
| Legal Outcome | NSO Group ordered to pay $167 million |
While the issue has been resolved, the growing frequency of these attacks underscores the importance of digital hygiene and ongoing vigilance. For now, WhatsApp’s quick patch and legal pushback show a clear intent to protect its users, but it’s a reminder that even the most trusted apps can become targets.
FAQs
What was the recent WhatsApp bug?
A zero-click spyware attack targeting iPhone and Mac users.
How many users were affected?
Less than 200 users received threat notifications from WhatsApp.
What platforms were impacted?
WhatsApp on iOS and macOS devices was affected.
Who is NSO Group?
A spyware maker behind Pegasus, now fined $167 million.
What should users do now?
Update WhatsApp and enable two-step verification for security.
