Home
Blog
WhatsApp zero-click zero-day attack: What to do?

WhatsApp zero-click zero-day attack: What to do?

Paul Ducklin
02/04/2025
Share this article:

This article was originally published here:
https://pducklin.com/2025/02/03/whatsapp-zero-click-zero-day-what-to-do/

0-click, 0-day, Oh dear

WhatsApp owner Meta has apparently confirmed that a zero-day bug in the app has been exploited to compromise the phones of about 90 journalists.

Zero-day bugs are security holes for which no security fix was available when the attack started, so that even the most diligent users and sysadmins could not have patched in advance.

The compromise is also described as a zero-click attack, which means that victims can be infected even if they never click on a rogue link, and even if they never open or read a message they’ve received, no matter how genuine it looks.

For example, if the part of the app that accepts new messages in the first place were the site of a remote code execution bug, then no user clicks would be needed to expose the vulnerable code to exploitation, because the device itself would pass the rogue data directly to the at-risk component of the app.

Just having the app installed and being logged into the WhatsApp service could therefore be enough, given that messaging apps generally need to process data from incoming calls and messages automatically in the background for you to know they’ve arrived.

By the time the rogue call or message shows up (if it shows up at all, and isn’t sneakily suppressed by the exploit code) then spyware or other malware could already have been implanted.

This implant has apparently been tied to spyware vendor Paragon and a surveillance tool called Graphite.

Good and bad news

The good news, if you can call it that, is that the difficulty and cost of launching attacks of this sort is typically so high that they are only used in a very targeted way, in order to make spotting the attack, analyzing the bug, and pushing out a patch much harder.

Spyware vendors generally don’t “burn” their high-cost, hard-to-replace zero-days by using them widely and drawing widespread attention to them.

That’s presumably why the infection count currently seems to be below 100 devices, meaning that your phone probably isn’t one of them.

The bad news is that spyware implants on phones generally aren’t easy to spot, especially on devices such as iPhones and locked-down Androids that aren’t supposed to accept digitally-unsigned software from just anywhere.

Mobile malware is typically designed to run outside the usual “walled garden” of apps that you can view and manage on your device, making implants of this sort hard to find and as good as impossible to remove selectively using official techniques.

Deleting and reinstalling WhatsApp, once it’s patched, will clearly protect you in the future if you aren’t infected already, but finding and getting rid of any rogue software components that might be left behind on your device is another matter.

What to do?

If you’re genuinely worried that you might have been targeted, you could consider doing a full reset-and-reinstall of the vendor’s latest official firmware on your device, which is essentially a wipe-and-replace operation.

You can backup your data first, but you will probably want to avoid restoring the backup to your device for the foreseeable future, in case any bug-triggering rogue messages remain.

This leaves you stuck with viewing your backed-up files on another device, such as an offline laptop.

That works fine for unencrypted data in a non-proprietary format, such as photos and screenshots, but not necessarily for all your data, which may be tied to app-specific encryption keys on the device itself that will be lost during the reset.

For Apple iPhones, you may want to read up up on DFU, short for device firmware update:
🔗 https://support.apple.com/108900

For Google devices, read up on Factory Images:
🔗 https://developers.google.com/android/images

For other devices, speak to your vendor.

To backup an iPhone if you don’t have a Mac or Windows, or don’t want to use iTunes, you can use the handy offline idevicebackup2 program from the open-source libimobiledevice toolkit:
🔗 https://libimobiledevice.org/
🔗 https://github.com/libimobiledevice

(Many Linux distros include libimobiledevice, or offer it as a ready-to-use installable package.)

Users of iPhones who consider themselves at special risk of being targeted could consider using Apple’s Lockdown Mode, though the degree of lockdown it imposes may be too strict and limiting for some people:
🔗 https://support.apple.com/105120

You can also look at a mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers.

Learn more about SolCyber Mobile Protection today:

WhatsApp zero-click zero-day attack: What to do? - SolCyber

Paul Ducklin
Paul Ducklin
02/04/2025
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Welcome to SolCyber: the Modern MSSP

Welcome to SolCyber: the Modern MSSP

Welcome to SolCyber. We’re an MSSP that does things a little differently. The threat landscape has changed dramatically in the last several years. And call us crazy, but we believe new and modern threats require a new and modern approach to protection. And this approach needs to work for everyone. However, the current solutions provided by many MSPs and MSSPs, often leave small and mid-sized businesses vulnerable. So does an MSSP that believes cybersecurity should make you resilient but shouldn’t […]

Avatar photo
Scott McCrady
Why Supply Chains are Under Attack

Why Supply Chains are Under Attack

Most of the sensational data breaches that get covered on the news are about consumer-focused companies. That makes sense when we think about the impact that can come from these kinds of attacks. In one fell swoop, millions of customer records can be lost. Obviously, this carries a lot of weight since it is relevant to a wide cross-section of people. Some noteworthy breaches of this magnitude include T-Mobile, SolarWinds, and LastPass. Supply chain companies may think they don’t need […]

Avatar photo
Hwei Oh
How Leaked PII Puts Organizations at Risk

How Leaked PII Puts Organizations at Risk

Data breaches are at an all-time high, with the number of breaches almost doubling from 2022 to 2023. Most recently, CBS reported on a massive data breach that could likely contain the social security numbers (SSNs) of every US citizen. It’s a major leak of personally identifiable information (PII) and only adds to the amount of sensitive data, such as passwords and addresses, that has been leaked over the last decade. Although it’s easy to think that leaked PII in […]

Avatar photo
Hwei Oh

Choose identity-first managed security.

We start with identity and end with transparency — protecting where attacks begin and keeping you informed, with as much visibility as you want. No black boxes, just clear, expert-driven security.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

©
2026
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber DPM++

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

10548