WhatsApp patches exploit used to target Apple devices of specific users
Meta-owned app and Apple issued fixes after a roughly 90-day campaign that targeted fewer than 200 users, researchers say
WhatsApp said it has patched a security vulnerability that was used in sophisticated attacks against the Apple devices of “specific targeted users,” and urged all users to update the app to the latest version.
In a blog post, the Meta-owned messaging app said the flaw, when chained with a separate vulnerability in iOS and iPadOS, allowed attackers to exploit and steal information from affected Apple devices. WhatsApp said fewer than 200 users were targeted and that it has notified those affected.
The Associated Press reported the disclosure on Sept. 3, 2025. Amnesty International’s Security Lab researcher Donncha Ó Cearbhaill posted on X that the malicious campaign lasted about 90 days and cautioned that other apps beyond WhatsApp may also have been affected. WhatsApp did not specify technical details of the exploit or identify who was behind the attacks.
Apple also acknowledged the vulnerability and released patches for iOS and iPadOS to address the underlying flaws, the company said. Both Apple and WhatsApp advised users to install the updates provided to ensure protections against the exploited bugs.
WhatsApp characterized the incident as targeting “specific targeted users,” rather than a broad compromise of its platform, and declined to provide details on the identities of those targeted. The company said it had taken steps to remediate the vulnerability and that its investigation was ongoing.
Security researchers and advocacy groups have in recent years documented similar targeted campaigns that chain messaging-app vulnerabilities with operating-system flaws to enable remote access to devices, extraction of data or installation of surveillance software. WhatsApp has previously patched high-profile vulnerabilities after researchers and governments raised concerns about sophisticated spyware that can be used against journalists, activists and other high-risk individuals.
It was not immediately clear who or which spyware vendor, if any, was responsible for the recent campaign. WhatsApp and Apple did not link the incident to a named attacker in their public statements.
Users are advised to update WhatsApp and keep devices current with the latest iOS and iPadOS security patches. WhatsApp said it had notified the users it identified as targeted and continues to monitor for related activity.
The incident underscores ongoing security challenges for messaging platforms and mobile operating systems, where isolated vulnerabilities can be combined to create powerful attack chains. Tech companies continue to face pressure from security researchers and regulators to detect, disclose and rapidly fix such flaws to protect users from targeted digital threats.