This article was originally published here:
https://pducklin.com/2025/02/03/whatsapp-zero-click-zero-day-what-to-do/
WhatsApp owner Meta has apparently confirmed that a zero-day bug in the app has been exploited to compromise the phones of about 90 journalists.
Zero-day bugs are security holes for which no security fix was available when the attack started, so that even the most diligent users and sysadmins could not have patched in advance.
The compromise is also described as a zero-click attack, which means that victims can be infected even if they never click on a rogue link, and even if they never open or read a message they’ve received, no matter how genuine it looks.
For example, if the part of the app that accepts new messages in the first place were the site of a remote code execution bug, then no user clicks would be needed to expose the vulnerable code to exploitation, because the device itself would pass the rogue data directly to the at-risk component of the app.
Just having the app installed and being logged into the WhatsApp service could therefore be enough, given that messaging apps generally need to process data from incoming calls and messages automatically in the background for you to know they’ve arrived.
By the time the rogue call or message shows up (if it shows up at all, and isn’t sneakily suppressed by the exploit code) then spyware or other malware could already have been implanted.
This implant has apparently been tied to spyware vendor Paragon and a surveillance tool called Graphite.
The good news, if you can call it that, is that the difficulty and cost of launching attacks of this sort is typically so high that they are only used in a very targeted way, in order to make spotting the attack, analyzing the bug, and pushing out a patch much harder.
Spyware vendors generally don’t “burn” their high-cost, hard-to-replace zero-days by using them widely and drawing widespread attention to them.
That’s presumably why the infection count currently seems to be below 100 devices, meaning that your phone probably isn’t one of them.
The bad news is that spyware implants on phones generally aren’t easy to spot, especially on devices such as iPhones and locked-down Androids that aren’t supposed to accept digitally-unsigned software from just anywhere.
Mobile malware is typically designed to run outside the usual “walled garden” of apps that you can view and manage on your device, making implants of this sort hard to find and as good as impossible to remove selectively using official techniques.
Deleting and reinstalling WhatsApp, once it’s patched, will clearly protect you in the future if you aren’t infected already, but finding and getting rid of any rogue software components that might be left behind on your device is another matter.
If you’re genuinely worried that you might have been targeted, you could consider doing a full reset-and-reinstall of the vendor’s latest official firmware on your device, which is essentially a wipe-and-replace operation.
You can backup your data first, but you will probably want to avoid restoring the backup to your device for the foreseeable future, in case any bug-triggering rogue messages remain.
This leaves you stuck with viewing your backed-up files on another device, such as an offline laptop.
That works fine for unencrypted data in a non-proprietary format, such as photos and screenshots, but not necessarily for all your data, which may be tied to app-specific encryption keys on the device itself that will be lost during the reset.
For Apple iPhones, you may want to read up up on DFU
, short for device firmware update:
🔗 https://support.apple.com/108900
For Google devices, read up on Factory Images
:
🔗 https://developers.google.com/android/images
For other devices, speak to your vendor.
To backup an iPhone if you don’t have a Mac or Windows, or don’t want to use iTunes, you can use the handy offline idevicebackup2
program from the open-source libimobiledevice
toolkit:
🔗 https://libimobiledevice.org/
🔗 https://github.com/libimobiledevice
(Many Linux distros include libimobiledevice
, or offer it as a ready-to-use installable package.)
Users of iPhones who consider themselves at special risk of being targeted could consider using Apple’s Lockdown Mode
, though the degree of lockdown it imposes may be too strict and limiting for some people:
🔗 https://support.apple.com/105120
You can also look at a mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers.
Learn more about SolCyber Mobile Protection today:
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.