WhatsApp Patches Zero-Click Spyware Attack Vector on Android

WhatsApp has addressed a vulnerability used in mercenary spyware attacks on high-profile targets.

The Citizen Lab has published an investigation into the Israeli developer of surveillance software, Paragon Solutions, “to untangle multiple threads connected to the proliferation of Paragon’s mercenary spyware operations across the globe.”

The security teams at Apple, Google, and WhatsApp parent company Meta have been working with the spyware crusaders at Citizen Lab over the years to plug holes exploited in spyware attacks - more recently, involving Paragon’s product, known as Graphite.

“WhatsApp discovered and mitigated an active Paragon zero-click exploit, and later notified over 90 individuals who it believed were targeted, including civil society members in Italy,” the lab says.

The highlight confirms reports from last month of Meta disrupting a malicious campaign targeting journalists and civil society members on its popular messaging platform.

Fixed server-side (no update required)

BleepingComputer reports that WhatsApp addressed the attack vector late last year “without the need for a client-side fix”—meaning end users did not need to take any action (such as updating WhatsApp on their phones).

In a statement to the news site, a WhatsApp spokesperson said:

“WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users including journalists and members of civil society. We’ve reached out directly to people who we believe were affected. This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately.”

Users targeted in seven countries

Paragon maintains that it doesn’t sell its surveillance software to unethical clients—ones that use it for personal gain rather than law enforcement fighting crime—and that it works to prevent the kinds of alleged spyware abuses that NSO Group and other players in the market are notorious for, according to the report.

However, the Canadian spyware fighters say they have reason to believe Graphite has been used in numerous unethical attacks in Italy, Canada, Australia, Cyprus, Denmark, Israel, and Singapore.

“We forensically analyzed multiple Android phones belonging to Paragon targets in Italy […] who were notified by WhatsApp,” reads the report. “We found clear indications that spyware had been loaded into WhatsApp, as well as other apps on their devices.”

The zero-click attack flow on Android. A zero-click attack requires no interaction from the victim.

Source: The Citizen Lab, an interdisciplinary division of the Munk School of Global Affairs & Public Policy, University of Toronto.

iPhone users protected on iOS 18

Apple periodically defends its own user base against cyberattacks with timely software patches deployed across every iOS update cycle.

“We analyzed the iPhone of an individual who worked closely with confirmed Android Paragon targets,” the report adds. “This person received an Apple threat notification in November 2024, but no WhatsApp notification. Our analysis showed an attempt to infect the device with novel spyware in June 2024. We shared details with Apple, who confirmed they had patched the attack in iOS 18.”

The report includes an infrastructure analysis of Graphite and a forensic analysis of infected devices belonging to civil society members.