Zero-click attack on Whatsapp users

WhatsApp users targeted by advanced zero-click attack

Meta’s messaging service, WhatsApp, has disclosed that a group of its users was targeted by sophisticated spyware developed by Israeli firm Paragon Solutions. The attack leveraged a zero-click vulnerability, a sophisticated form of click attack, meaning victims did not need to interact with any malicious links or files for their devices to be compromised.

The attack was allegedly specifically targeted journalists, activists, and members of civil society, raising concerns about the use of commercial spyware against high-risk individuals.

How the zero-click exploits worked

Unlike traditional phishing or malware campaigns that require user interaction, zero-click exploits do zero-click attacks by exploiting vulnerabilities in software that processes data without user interaction. These attacks utilize malicious code that can be executed without user interaction through unpatched vulnerabilities in applications that process untrusted data. In some cases, a simple missed call can exploit vulnerabilities in apps like WhatsApp, enabling hackers to install spyware during the automated data exchange triggered by the call. In this case, attackers reportedly exploited a vulnerability in WhatsApp by sending specially crafted PDF files to group chats. Once received, the spyware could be executed remotely, granting unauthorized access to the victim’s device, including their encrypted messages, call logs, and potentially even microphone and camera access.

Meta has not publicly disclosed the technical specifics of the vulnerability but has confirmed that the exploit has been patched in the latest version of WhatsApp. Users are strongly advised to update their applications to the latest version to ensure protection against similar threats.

If you're not sure how phishing tricks users into giving up sensitive information, learn more about phishing here. Or if you want to understand how malware spreads and infects devices, check our in-depth guide on malware.

The attackers behind: Israeli spyware company Paragon

Paragon Solutions, founded in 2019, is one of several Israeli firms specializing in the development of advanced surveillance technology. Unlike NSO Group, which has faced global controversy for its Pegasus spyware, Paragon has positioned itself as a provider of “ethically driven” intelligence tools used exclusively by democratic governments. However, the latest revelations about the attack on WhatsApp raise questions about the true nature of its client base and operational ethics.

Despite its claims of ethical use, Paragon’s spyware appears to have been deployed in zero-click hacks against individuals who are typically seen as defenders of human rights and press freedom. This case further fuels ongoing concerns regarding the lack of accountability and oversight in the spyware industry, where powerful surveillance tools can fall into the wrong hands or be misused by authoritarian regimes.

Meta’s response and legal actions

In response to the attack, Meta has issued cease-and-desist letters to Paragon Solutions. The company has also notified affected users and provided security recommendations to mitigate the risk of further intrusions.

Unlike traditional attacks that rely on a malicious link to trick users into executing malware, zero-click exploits require no user interaction, making them harder to detect and prevent. Meta has a history of taking spyware firms to court. In 2019, it filed a lawsuit against NSO Group for allegedly hacking into WhatsApp to spy on human rights activists and journalists. While the case against NSO is ongoing, it set a precedent for Big Tech companies actively fighting back against the misuse of their platforms.

The broader implications for digital security

This attack highlights the persistent threats posed by commercial spyware and explains how zero-click attacks work by exploiting vulnerabilities in software without requiring user interaction. Zero-click malware can silently compromise devices and networks, making it a significant cybersecurity threat. The existence of zero-click vulnerabilities in commonly used applications underscores the need for continuous vigilance and security updates. While tech companies continuously work to patch vulnerabilities, the existence of firms specializing in offensive cyber capabilities raises concerns about surveillance abuses.

For individuals at risk, we recommend:

• Keeping all apps and operating systems up to date

• Avoiding unknown group chat invitations or suspicious file attachments

• Enabling additional security features such as two-step verification

• Regularly reviewing device permissions and security settings

The need for greater regulation to prevent zero-click attacks

As spyware attacks become more sophisticated, the need for international regulations on surveillance technology grows, especially given the increasing reliance on mobile device for personal and professional use. Zero-click attacks primarily target mobile devices, installing malicious software without user interaction and compromising sensitive information. These attacks can exploit vulnerabilities during phone calls, making them a prime target for sophisticated hacks. Messaging platforms like WhatsApp have been frequent targets of cyberattacks, highlighting the growing risks of mobile-based espionage. While not direct attacks on WhatsApp itself, some scams exploit the platform’s trusted nature—such as embedding malicious QR codes in messages or using social engineering tactics to deceive users. Read more about another WhatsApp-related scam in our article on how Russian hackers are leveraging advanced quishing tactics.

Digital privacy advocates and human rights organizations are urging governments to establish stricter controls on the sale and use of spyware.

The European Union and the United States have taken steps to blacklist certain spyware firms, but the industry remains largely unregulated, allowing companies like Paragon to operate in legal grey areas. Greater transparency, accountability, and international cooperation will be essential in curbing the misuse of commercial surveillance tools.

Meanwhile, digital privacy advocates continue to call for increased transparency and accountability from both spyware firms and the governments that utilize their tools. As this case unfolds, it will likely intensify the debate over how to balance national security concerns with the protection of individual privacy and human rights.