WhatsApp issues urgent iPhone update after 'extremely sophisticated' zero-click attack discovered
Meta says it has patched a vulnerability in WhatsApp for iPhone but users must update the app to activate the fix after a sophisticated spyware campaign targeted some accounts
WhatsApp and parent company Meta have released an urgent update for iPhone users after security researchers identified an "extremely sophisticated" zero-click exploit that they say was used in an advanced spyware campaign, officials and researchers said.
WhatsApp said it has fixed the vulnerability but that the patch takes effect only after users update the app. Donncha Ó Cearbhaill, who leads the Security Lab at Amnesty International, said in a thread on X that WhatsApp had sent threat notifications to people it believes were targeted in the past 90 days and urged anyone who received such a notification to update their device immediately. Ó Cearbhaill described the activity as an "advanced spyware campaign" that had been ongoing for about three months, though he and WhatsApp said it remained unclear how many people were affected and who was responsible for the attacks.
The exploit has been described as "zero-click," meaning it could compromise a device without the target taking any visible action such as opening a message or clicking a link. That characteristic makes zero-click vulnerabilities particularly valuable to operators of advanced spyware, security researchers say, because they can be deployed covertly.
WhatsApp's notification system, which began informing potentially targeted users, is intended to alert individuals who may have been compromised so they can take immediate steps such as updating the app and reviewing device security. Meta did not provide a public estimate of the number of accounts notified or further technical details about the vulnerability while urging all iPhone users to install the update.
Security researchers and advocacy groups have increasingly monitored the use of sophisticated spyware in recent years and have pressed platform companies to move quickly when flaws are discovered. In this instance, Amnesty International's Security Lab flagged the ongoing campaign and publicized WhatsApp's notifications, prompting renewed calls from researchers for affected users to apply the patch.
WhatsApp did not disclose the exact technical mechanism of the flaw in its public comments. Industry experts cautioned that even when a vendor issues a patch, affected users must install updates promptly, and organizations should verify that devices are running the latest versions of both apps and operating systems to reduce the risk of exploitation.
Users who receive a threat notification from WhatsApp should follow the app's guidance and install available updates. For users who did not receive a notification, experts advised maintaining current app and system updates and following standard security practices. Meta said it is continuing to investigate the incident and will provide further information to users and partners as appropriate.