Table of Contents
Did a WhatsApp Flaw Put Your Mac and iPhone at Risk? Here’s What You Need to Know
WhatsApp has recently fixed a serious security problem within its application for both iPhones and Mac computers. This issue allowed attackers to install spyware on a person’s device without the person having to click on anything at all.
This kind of attack is called a zero-click exploit. It is dangerous because it requires no action from you, the user. The spyware could be installed on your device even if you never opened a suspicious message or clicked a strange link.
The Two-Part Security Problem
This attack was clever because it used two separate security flaws at the same time. Think of it like a team of burglars where one picks the lock on the main gate and the other picks the lock on the front door. Neither could get in alone, but together they could access the house.
The first flaw was in Apple’s own operating system, the software that runs your iPhone, iPad, or Mac computer. This problem, identified as CVE-2025-43300, was a zero-day threat. A zero-day threat is a security hole that the software company, in this case Apple, did not know existed until attackers started using it. Apple released emergency updates to fix this problem for its devices.
The second flaw was inside the WhatsApp application itself. This problem was tracked as CVE-2025-55177. It involved the way WhatsApp handles messages for linking new devices to your account. Attackers found a way to send a specially crafted message that could trick your device into processing information from a web address they controlled. This was the entry point for the spyware. By using both the Apple flaw and the WhatsApp flaw together, attackers could take control of a device and steal personal information.
Who Was Affected by This Attack?
It is important to understand that this was not an attack on all WhatsApp users. It was a highly targeted campaign. According to Meta, WhatsApp’s parent company, fewer than 200 users were specifically targeted and later notified about the issue.
The goal of the attackers was to install spyware to steal data. This could include private messages, photos, contacts, and other sensitive information stored on a device. Security experts at Amnesty International’s Security Lab described it as an “advanced spyware campaign” that had been active for more than 90 days. The identity of the attackers has not been made public.
How to Keep Your Devices Safe
Keeping your devices and applications updated is the most important step you can take to protect yourself from these kinds of threats. When companies like Apple and WhatsApp discover security problems, they release updates to fix them. If you do not install these updates, your devices remain vulnerable.
Here is what you need to check to ensure you are protected from this specific issue:
Update WhatsApp
The security fix is included in newer versions of the app. Make sure your app is updated to at least version 2.25.21.73 for WhatsApp on iOS, version 2.25.21.78 for WhatsApp Business on iOS, or version 2.25.21.78 for WhatsApp on a Mac. You can check your app version and update it through the App Store.
Update Your Apple Devices
Apple has also released updates to fix its side of the problem. You should install these updates immediately. The safe versions are iOS 16.8.2, iPadOS 16.8.2, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8. You can find these updates in the Settings app on your iPhone or iPad, or in System Settings on your Mac.
A Pattern of Spyware Attacks
This is not the first time WhatsApp has been the target of spyware campaigns. The platform’s popularity and its use for sensitive communications make it a frequent target for groups wanting to spy on individuals.
Earlier this year, WhatsApp stopped a spyware campaign from a group called Paragon that was aimed at journalists and activists in Italy. A more famous case involved the NSO Group, an Israeli company that creates a powerful spyware tool called Pegasus. In 2019, the NSO Group used a flaw in WhatsApp to install Pegasus on the phones of over 1,400 people. WhatsApp sued the NSO Group and, in May 2024, a U.S. court ordered the company to pay $167 million in damages. These past events show that WhatsApp actively works to find and stop such attacks, but it also shows that threats from sophisticated spyware are ongoing.