New zero-click exploit allegedly used to hack WhatsApp users

New zero-click exploit allegedly used to hack WhatsApp users

New zero-click exploit allegedly used to hack WhatsApp users

WhatsApp warns users targeted by advanced spyware, sending threat notifications to affected individuals from the past 90 days.

A new zero-click exploit used to hack WhatsApp users, reported Donncha Ó Cearbhaill, Head of Security Lab at @AmnestyTech.

WhatsApp has just sent out a round of threat notifications to individuals they believe were targeted by an advanced spyware campaign in the past 90 days. WhatsApp warns some users that a malicious message may have exploited OS flaws to compromise devices and data. Donncha Ó Cearbhaill is seeking out expert help after receiving this alert. The attack requires no user interaction, meaning victims could be compromised without clicking a link or downloading a file. Such exploits are typically linked to well-resourced threat actors, including state-sponsored groups. WhatsApp urges recipients of the notification to review their devices for unusual behavior, update to the latest version, and enable enhanced security measures to reduce the risk of further compromise.

WhatsApp announced that it had already patched the flaw exploited by attackers, but risks remain.

🚨 BREAKING: New zero-click exploit used to hack WhatsApp users.

WhatsApp has just sent out a round of threat notifications to individuals they believe where targeted by an advanced spyware campaign in past 90 days.

Seek out expert help if you have received this alert pic.twitter.com/i4cHLsiNOr

— Donncha Ó Cearbhaill (@DonnchaC) August 29, 2025

Below is the text sent to the impacted users:

“Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.

While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.

We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or be targeted in other ways.

To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.”

Commercial spyware vendors are behind most zero-day exploits discovered by researchers in the wild. Zero-day exploits are essential components is stealth spyware campaigns.

Surveillance software is used to spy on high-risk users, including journalists, human rights defenders, dissidents and opposition party politicians.

The surveillance industry is experiencing exponential growth, fueled by the sustained demand from rogue governments, intelligence agencies, and malicious actors for sophisticated malware and surveillance tools.

In early August, Meta announced it is sponsoring ZDI’s Pwn2Own Ireland 2025 hacking competition, where participants can earn big prizes for smartphone, WhatsApp and wearable device exploits. Participants can earn up to $1 million for a WhatsApp exploit that allows attackers to achieve remote code execution with no user interaction.

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking,WhatsApp)

azaeo.com – datalake

File fishes formats available in:

TextoJSONJSON-LDXMLHTMLHTML SourcePDFMarkdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.