iPhone Users Urged to Update After WhatsApp Zero-Click Spyware Attack

WhatsApp has released a security update to fix a zero-click flaw that security researchers say was used in a targeted spyware campaign. The vulnerability, tracked as CVE-2025-55177, was paired with an Apple operating system bug that has also been patched.

According to Amnesty International’s Security Lab, the attack has been active since late May and focused on a limited number of users. WhatsApp confirmed fewer than 200 individuals were notified of possible targeting.

A zero-click vulnerability allows attackers to compromise a device without requiring user interaction. Unlike phishing links or malicious attachments, this type of exploit runs automatically once a crafted message, image, or file is processed by the device, bypassing security tools and leaving little trace of intrusion.

Security researchers said the exploit used a previously unknown weakness to deliver spyware to Apple devices. The malicious code was embedded in a message sent via WhatsApp and triggered without the recipient opening the content. Amnesty’s findings indicate the campaign lasted around 90 days.

Apple addressed the system-level bug on August 20 with the release of iOS 18.6.2 and iPadOS 18.6.2. Its security notes said that processing a specially crafted image could cause memory corruption, enabling attackers to execute code remotely.

Meta, WhatsApp’s parent company, confirmed that users identified as potential targets were sent alerts but said it cannot confirm which devices were fully compromised. The company urged all iOS users to update their devices and install the latest WhatsApp version.

For individuals who received security warnings, Meta recommended performing a full factory reset as a precaution. Even users without notifications are advised to run the latest operating system updates to ensure protection.