Home
Blog
WhatsApp zero-click zero-day attack: What to do?

WhatsApp zero-click zero-day attack: What to do?

Paul Ducklin
Paul Ducklin
02/04/2025
Share this article:

This article was originally published here:
https://pducklin.com/2025/02/03/whatsapp-zero-click-zero-day-what-to-do/

0-click, 0-day, Oh dear

WhatsApp owner Meta has apparently confirmed that a zero-day bug in the app has been exploited to compromise the phones of about 90 journalists.

Zero-day bugs are security holes for which no security fix was available when the attack started, so that even the most diligent users and sysadmins could not have patched in advance.

The compromise is also described as a zero-click attack, which means that victims can be infected even if they never click on a rogue link, and even if they never open or read a message they’ve received, no matter how genuine it looks.

For example, if the part of the app that accepts new messages in the first place were the site of a remote code execution bug, then no user clicks would be needed to expose the vulnerable code to exploitation, because the device itself would pass the rogue data directly to the at-risk component of the app.

Just having the app installed and being logged into the WhatsApp service could therefore be enough, given that messaging apps generally need to process data from incoming calls and messages automatically in the background for you to know they’ve arrived.

By the time the rogue call or message shows up (if it shows up at all, and isn’t sneakily suppressed by the exploit code) then spyware or other malware could already have been implanted.

This implant has apparently been tied to spyware vendor Paragon and a surveillance tool called Graphite.

Good and bad news

The good news, if you can call it that, is that the difficulty and cost of launching attacks of this sort is typically so high that they are only used in a very targeted way, in order to make spotting the attack, analyzing the bug, and pushing out a patch much harder.

Spyware vendors generally don’t “burn” their high-cost, hard-to-replace zero-days by using them widely and drawing widespread attention to them.

That’s presumably why the infection count currently seems to be below 100 devices, meaning that your phone probably isn’t one of them.

The bad news is that spyware implants on phones generally aren’t easy to spot, especially on devices such as iPhones and locked-down Androids that aren’t supposed to accept digitally-unsigned software from just anywhere.

Mobile malware is typically designed to run outside the usual “walled garden” of apps that you can view and manage on your device, making implants of this sort hard to find and as good as impossible to remove selectively using official techniques.

Deleting and reinstalling WhatsApp, once it’s patched, will clearly protect you in the future if you aren’t infected already, but finding and getting rid of any rogue software components that might be left behind on your device is another matter.

What to do?

If you’re genuinely worried that you might have been targeted, you could consider doing a full reset-and-reinstall of the vendor’s latest official firmware on your device, which is essentially a wipe-and-replace operation.

You can backup your data first, but you will probably want to avoid restoring the backup to your device for the foreseeable future, in case any bug-triggering rogue messages remain.

This leaves you stuck with viewing your backed-up files on another device, such as an offline laptop.

That works fine for unencrypted data in a non-proprietary format, such as photos and screenshots, but not necessarily for all your data, which may be tied to app-specific encryption keys on the device itself that will be lost during the reset.

For Apple iPhones, you may want to read up up on DFU, short for device firmware update:
🔗 https://support.apple.com/108900

For Google devices, read up on Factory Images:
🔗 https://developers.google.com/android/images

For other devices, speak to your vendor.

To backup an iPhone if you don’t have a Mac or Windows, or don’t want to use iTunes, you can use the handy offline idevicebackup2 program from the open-source libimobiledevice toolkit:
🔗 https://libimobiledevice.org/
🔗 https://github.com/libimobiledevice

(Many Linux distros include libimobiledevice, or offer it as a ready-to-use installable package.)

Users of iPhones who consider themselves at special risk of being targeted could consider using Apple’s Lockdown Mode, though the degree of lockdown it imposes may be too strict and limiting for some people:
🔗 https://support.apple.com/105120

You can also look at a mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers.

Learn more about SolCyber Mobile Protection today:

WhatsApp zero-click zero-day attack: What to do? - SolCyber

Paul Ducklin
Paul Ducklin
02/04/2025
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2025
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

10548