A new spyware campaign chained WhatsApp and a flaw in iOS 18.6 to expose users to a "zero-click" hack that required no interaction to compromise an iPhone.
Meta confirmed on August 29, 2025, that it had patched a flaw in its iOS and Mac apps. The flaw was tracked as CVE-2025-55177 in the database of known security flaws.
Apple had previously issued a fix for a related iOS and macOS vulnerability, CVE-2025-43300 on August 20. Together, these two bugs were used to target a select group of WhatsApp users.
Security researchers describe the campaign as a "zero-click" exploit. That means victims didn't need to tap a link or open a file. The malicious code was delivered silently through WhatsApp, chaining the two flaws to break into Apple devices.
Once inside, attackers gained access to messages and personal data. Donncha O Cearbhaill, head of Amnesty International's Security Lab, said the spyware was active for 90 days starting in late May.
The attack only worked because two flaws lined up, one inside WhatsApp and the other in Apple's software. Meta fixed its apps, and Apple patched iOS and macOS, but users needed both updates before the door was fully shut.
Installing only one update left devices exposed, which shows how tricky these chained exploits can be.
Who was targeted
O Cearbhaill called it an "advanced spyware campaign" that successfully compromised dozens of Apple users.
BREAKING: New zero-click exploit used to hack WhatsApp users.
— Donncha Cearbhaill (@DonnchaC) August 29, 2025
WhatsApp has just sent out a round of threat notifications to individuals they believe where targeted by an advanced spyware campaign in past 90 days.
Seek out expert help if you have received this alert pic.twitter.com/i4cHLsiNOr
WhatsApp said it detected and fixed the vulnerability "a few weeks ago." The company emphasized that the flaw is now closed, though it didn't specify exactly when the patch rolled out.
Meta spokesperson Margarita Franklin confirmed the company sent fewer than 200 notifications to affected WhatsApp users. She declined to attribute the attack to any known spyware vendor or government, leaving the culprit officially unidentified.
Why it matters
Zero-day and zero-click exploits represent the most dangerous category of digital threats. Unlike typical malware, they don't require user error, like clicking on a phishing link. Instead, they weaponize undisclosed vulnerabilities.
That means even the most careful user can be compromised. Apple markets its ecosystem as one of the most secure, but as history shows, determined surveillance operators find cracks.
What users can do against WhatsApp spyware
Spyware campaigns are rarely aimed at ordinary users, but when governments and private firms wield these tools, journalists, activists, and dissidents are often in the crosshairs.
The takeaway for iPhone and Mac users is clear. Keep your devices updated, because even the most advanced spyware campaigns rely on vulnerabilities that eventually get patched. Once the update is out, attackers lose their silent entry point.
For those in high-risk groups like activists or journalists, the risk of messages, photos, and sensitive data being copied before the fix arrives can't be shrugged off as theoretical.
