WhatsApp patches security flaw which let hackers install spyware

News
By published

A zero-click zero-day was targeting WhatsApp users

Trojan
(Image credit: Iaremenko Sergii / Shutterstock)
  • WhatsApp patches vulnerability used to deploy Graphite
  • Graphite is a commercial spyware built by Israeli devs Paragon
  • Around 90 people were targeted, WhatsApp said

WhatsApp says it has fixed a zero-day vulnerability which was apparently used by nation-states to spy on journalists, dissidents, political opponents, and others.

After being tipped off by security researchers from Citizen Lab, WhatsApp addressed a bug which allowed threat actors to deploy Graphite, a sophisticated spyware tool developed by the Israeli company Paragon Solutions.

Graphite was deployed in a “zero-click” attack, meaning no interaction from the victim was required.

Protecting your Android phone

"WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users including journalists and members of civil society. We’ve reached out directly to people who we believe were affected," a WhatsApp spokesperson told BleepingComputer.

"This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately."

A CVE was not assigned to the vulnerability.

WhatsApp further said it notified some 90 people, located in more than two dozen countries, including Italian journalists and activists.

In theory, the attack was very simple. After obtaining their target’s phone numbers, the threat actors would add them to a WhatsApp group, before sending a weaponized PDF. Since the device automatically processes PDF files, the endpoint gets compromised without any action from the user. The next step is to escape the Android sandbox and install the spyware, which grants the attackers access to the device’s messaging applications.

Citizen Lab was analyzing Graphite’s infrastructure and found “potential links to multiple government customers,” including Australia, Canada, Cyprus, Denmark, Israel, and Singapore.

Governments in Europe and the United States have been quite vocal in their opposition to commercial spyware. In February 2022, the European Data Protection Supervisor (EDPS) recommended banning the use of Pegasus spyware within the EU, citing concerns over fundamental rights and freedoms. Pegasus’ developer team, NGO Group, was blacklisted in the United States on November 3, 2021.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
WhatsApp China VPN
Paragon spyware campaign targeting journalists disrupted by WhatsApp
An illustration of a 1960s spy with sunglasses and a big coat
Paragon spyware cancels contract with Italian government after targeting journalists and citizens across Europe
Giant eye watching at man working at the computer. Surveillance, hacking, internet security concept. Flat vector illustration.
Israeli spyware company confirms US government and friends are customers
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Russian criminal gang Star Blizzard found hitting WhatsApp accounts
Spyware
Government-linked Italian spyware maker caught distributing malicious Android apps
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
WordPress on a laptop
Over 20,000 WordPress sites hit by damaging malware campaign
Trojan
WhatsApp patches security flaw which let hackers install spyware
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
Latest in News
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way
A image of Saros character Arjun
Housemarque’s boss is surprisingly positive about Sony’s acquisition – and it’s good news for Saros
Oura Ring 4
One of Apple's top health execs is ditching the company for Oura, and I've never been more convinced smart rings are the future
Nvidia logo
Nvidia RTX 5060 Ti could be delayed to mid-April and RTX 5060 to mid-May – is AMD starting to look like a clear winner in the battle of Blackwell vs RDNA 4 GPUs?
The A Minecraft Movie Meal from McDonald's.
McDonald's reveals A Minecraft Movie meal with a bizarre set of collectibles and the most sinister sounding sauce ever
Apple iPhone 16e REVIEW
The iPhone 16e’s 5G performance seemingly has the iPhone 16’s beat
More about security
WordPress on a laptop

Over 20,000 WordPress sites hit by damaging malware campaign
An American flag flying outside the US Capitol building against a blue sky

Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
A screenshot of Hazel from South of Midnight holding a glowing bottle

South of Midnight's audio team shed light on the game's unique approach: 'Games tend to follow certain formulas, and this wasn’t one of them'
See more latest
Most Popular
God of War 20th anniversary vinyl box set.
The God of War 20th anniversary vinyl box set features 13 discs and 150 remastered songs
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way
A image of Saros character Arjun
Housemarque’s boss is surprisingly positive about Sony’s acquisition – and it’s good news for Saros
Oura Ring 4
One of Apple's top health execs is ditching the company for Oura, and I've never been more convinced smart rings are the future
The A Minecraft Movie Meal from McDonald's.
McDonald's reveals A Minecraft Movie meal with a bizarre set of collectibles and the most sinister sounding sauce ever
Apple iPhone 16e REVIEW
The iPhone 16e’s 5G performance seemingly has the iPhone 16’s beat
Assassin's Creed Shadows
I was already sold on Assassin's Creed Shadows on PS5 Pro, but now the devs are teasing that the game will soon get a boost from PSSR
Smeg kettle and toaster in Jade Green on kitchen counter with spiced tea
Smeg's color of the year is like a Venetian canal winding through your kitchen, and it's making me want to hop in a gondola
A representative abstraction of artificial intelligence
Researchers want to give some common sense to AI to turn it into artificial general intelligence
WordPress on a laptop
Over 20,000 WordPress sites hit by damaging malware campaign