A new spyware attack targeting Apple devices has raised serious concerns about user security. This sophisticated attack combined two vulnerabilities: one in WhatsApp (CVE-2025-55177) and another in Apple’s iOS and macOS (CVE-2025-43300). Together, they enabled hackers to infiltrate Apple devices without any action from the user, making it a “zero-click” exploit.
Zero-click spyware is particularly dangerous because it doesn’t require victims to click on a malicious link or open a harmful file. Instead, the malware silently enters through WhatsApp, immediately giving attackers access to sensitive data such as messages and personal information. According to Amnesty International’s Security Lab, this campaign lasted for around 90 days, starting in late May.
Who Was Affected?
Meta, the parent company of WhatsApp, confirmed that fewer than 200 users were targeted by this exploit. Although Meta did not specify the source of the spyware or point to any particular vendor or government, experts have characterized the attack as an “advanced spyware campaign.” The victims were likely to include high-risk individuals such as journalists, activists, and others whose communications are often under surveillance.
Donncha Ó Cearbhaill from Amnesty’s Security Lab stressed the severity of the issue, explaining that the attack succeeded only because both flaws in WhatsApp and Apple’s system were exploited together. If either flaw had been patched alone, the exploit would not have been as effective.
Response from Apple and Meta
Both Apple and Meta moved quickly to address the vulnerabilities. Apple released a security patch for iOS and macOS on August 20, while Meta followed up with a fix for WhatsApp a few weeks later. Both companies have assured users that devices are secure, provided they have installed the latest updates. However, until both patches are applied, attackers could still exploit the vulnerabilities.
The Importance of Quick Updates
This incident highlights the critical importance of keeping software up to date, especially when dealing with zero-click exploits. Such attacks don’t rely on user error, making them even more dangerous and harder to defend against. While Apple has long marketed its ecosystem as a secure environment, this breach serves as a reminder that no system is completely immune to determined attackers.
For users, the takeaway is clear: don’t delay updates. While these types of spyware campaigns are often targeted at specific individuals or groups, anyone who postpones security updates is at risk. For journalists, activists, or dissidents, even a short delay in applying a patch could lead to the theft of sensitive messages, photos, or documents.
By staying vigilant and updating quickly, users can better protect themselves from the growing threat of sophisticated digital espionage.